Source: openssl Version: 3.1.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for openssl. CVE-2024-0727[0]: | Issue summary: Processing a maliciously formatted PKCS12 file may | lead OpenSSL to crash leading to a potential Denial of Service | attack Impact summary: Applications loading files in the PKCS12 | format from untrusted sources might terminate abruptly. A file in | PKCS12 format can contain certificates and keys and may come from an | untrusted source. The PKCS12 specification allows certain fields to | be NULL, but OpenSSL does not correctly check for this case. This | can lead to a NULL pointer dereference that results in OpenSSL | crashing. If an application processes PKCS12 files from an untrusted | source using the OpenSSL APIs then that application will be | vulnerable to this issue. OpenSSL APIs that are vulnerable to this | are: PKCS12_parse(), PKCS12_unpack_p7data(), | PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and | PKCS12_newpass(). We have also fixed a similar issue in | SMIME_write_PKCS7(). However since this function is related to | writing data we do not consider it security significant. The FIPS | modules in 3.2, 3.1 and 3.0 are not affected by this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0727 https://www.cve.org/CVERecord?id=CVE-2024-0727 [1] https://www.openssl.org/news/secadv/20240125.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore