UbuntuUpdates.org

Package "openssl"

Name: openssl

Description:

Secure Sockets Layer toolkit - cryptographic utility
Latest version: 3.0.10-1ubuntu2.3
Release: mantic (23.10)
Level: security
Repository: main
Homepage: https://www.openssl.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "openssl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "openssl" in Mantic

Repository Area Version
base main 3.0.10-1ubuntu2
updates main 3.0.10-1ubuntu2.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.0.10-1ubuntu2.3 2024-02-27 11:07:01 UTC

  openssl (3.0.10-1ubuntu2.3) mantic-security; urgency=medium

  * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
    - debian/patches/openssl-pkcs1-implicit-rejection.patch:
      Return deterministic random output instead of an error in case
      there is a padding error in crypto/cms/cms_env.c,
      crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c,
      crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c,
      crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in,
      doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod,
      doc/man3/EVP_PKEY_decrypt.pod,
      doc/man3/RSA_padding_add_PKCS1_type_1.pod,
      doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod,
      include/crypto/rsa.h, include/openssl/core_names.h,
      include/openssl/rsa.h,
      providers/implementations/asymciphers/rsa_enc.c and
      test/recipes/30-test_evp_data/evppkey_rsa_common.txt.

 -- David Fernandez Gonzalez <email address hidden> Wed, 21 Feb 2024 11:45:39 +0100
Source diff to previous version
2054090 Implicit rejection of PKCS#1 v1.5 RSA

Version: 3.0.10-1ubuntu2.2 2024-02-05 12:08:01 UTC

  openssl (3.0.10-1ubuntu2.2) mantic-security; urgency=medium

  * SECURITY UPDATE: Excessive time spent in DH check / generation with
    large Q parameter value
    - debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and
      DH_generate_key() safer yet in crypto/dh/dh_check.c,
      crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt,
      include/crypto/dherr.h, include/openssl/dh.h,
      include/openssl/dherr.h.
    - CVE-2023-5678
  * SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers
    on PowerPC
    - debian/patches/CVE-2023-6129.patch: fix vector register clobbering in
      crypto/poly1305/asm/poly1305-ppc.pl.
    - CVE-2023-6129
  * SECURITY UPDATE: Excessive time spent checking invalid RSA public keys
    - debian/patches/CVE-2023-6237.patch: limit the execution time of RSA
      public key check in crypto/rsa/rsa_sp800_56b_check.c,
      test/recipes/91-test_pkey_check.t,
      test/recipes/91-test_pkey_check_data/rsapub_17k.pem.
    - CVE-2023-6237
  * SECURITY UPDATE: PKCS12 Decoding crashes
    - debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo
      data can be NULL in crypto/pkcs12/p12_add.c,
      crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c,
      crypto/pkcs7/pk7_mime.c.
    - CVE-2024-0727

 -- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 13:03:16 -0500
Source diff to previous version
CVE-2023-5678 Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary:
CVE-2023-6129 Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications run
CVE-2023-6237 openssl: Checking excessively long invalid RSA public keys may take a long time
CVE-2024-0727 Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summa

Version: 3.0.10-1ubuntu2.1 2023-10-24 16:06:55 UTC

  openssl (3.0.10-1ubuntu2.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Incorrect cipher key and IV length processing
    - debian/patches/CVE-2023-5363-1.patch: process key length and iv
      length early if present in crypto/evp/evp_enc.c.
    - debian/patches/CVE-2023-5363-2.patch: add unit test in
      test/evp_extra_test.c.
    - CVE-2023-5363

 -- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 07:51:05 -0400
CVE-2023-5363 Incorrect cipher key & IV length processing


About   -   Send Feedback to @ubuntu_updates