ELA-953-1 openssl security update
Package : openssl
Version : 1.0.1t-1+deb8u21 (jessie), 1.1.0l-1~deb9u9 (stretch)
Related CVEs :
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466
CVE-2023-2650
CVE-2023-3446
Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit.
CVE-2023-0464
David Benjamin reported a flaw related to the verification of X.509
certificate chains that include policy constraints, which may result
in denial of service.
CVE-2023-0465
David Benjamin reported that invalid certificate policies in leaf
certificates are silently ignored. A malicious CA could take
advantage of this flaw to deliberately assert invalid certificate
policies in order to circumvent policy checking on the certificate
altogether.
CVE-2023-0466
David Benjamin discovered that the implementation of the
X509_VERIFY_PARAM_add0_policy() function does not enable the check
which allows certificates with invalid or incorrect policies to pass
the certificate verification (contrary to its documentation).
CVE-2023-2650
It was discovered that processing malformed ASN.1 object identifiers
or data may result in denial of service.
CVE-2023-3446
It was found that checking excessively long DH keys or parameters
could lead to denial of service.
In addition, the stretch update addresses the following issues:
CVE-2022-4304
A timing based side channel attack was found on the RSA decryption
implementation.
CVE-2023-3817
It was found that checking excessively long DH keys or parameters
could lead to denial of service.
An openssl security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address multiple vulnerabilities.
