UbuntuUpdates.org

Package "openssl"

Name: openssl

Description:

Secure Sockets Layer toolkit - cryptographic utility

Latest version: 3.0.13-0ubuntu3.4
Release: noble (24.04)
Level: security
Repository: main
Homepage: https://www.openssl.org/

Links


Download "openssl"


Other versions of "openssl" in Noble

Repository Area Version
base main 3.0.13-0ubuntu3
updates main 3.0.13-0ubuntu3.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.0.13-0ubuntu3.4 2024-09-03 16:06:53 UTC

  openssl (3.0.13-0ubuntu3.4) noble-security; urgency=medium

  * SECURITY UPDATE: Possible denial of service in X.509 name checks
    - debian/patches/CVE-2024-6119.patch: avoid type errors in EAI-related
      name check logic in crypto/x509/v3_utl.c, test/*.
    - CVE-2024-6119

 -- Marc Deslauriers <email address hidden> Tue, 20 Aug 2024 13:05:36 -0400

Source diff to previous version

Version: 3.0.13-0ubuntu3.2 2024-07-31 18:07:14 UTC

  openssl (3.0.13-0ubuntu3.2) noble-security; urgency=medium

  * SECURITY UPDATE: unbounded mem growth when processing TLSv1.3 sessions
    - debian/patches/CVE-2024-2511.patch: fix unconstrained session cache
      growth in TLSv1.3 in ssl/ssl_lib.c, ssl/ssl_sess.c,
      ssl/statem/statem_srvr.c.
    - CVE-2024-2511
  * SECURITY UPDATE: checking excessively long DSA keys or params very slow
    - debian/patches/CVE-2024-4603.patch: check DSA parameters for
      excessive sizes before validating in crypto/dsa/dsa_check.c,
      test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem.
    - CVE-2024-4603
  * SECURITY UPDATE: use after free with SSL_free_buffers
    - debian/patches/CVE-2024-4741.patch: only free the read buffers if
      we're not using them in ssl/record/rec_layer_s3.c,
      ssl/record/record.h, ssl/ssl_lib.c.
    - CVE-2024-4741
  * SECURITY UPDATE: crash or memory disclosure via SSL_select_next_proto
    - debian/patches/CVE-2024-5535.patch: validate provided client list in
      ssl/ssl_lib.c.
    - CVE-2024-5535

 -- Marc Deslauriers <email address hidden> Tue, 30 Jul 2024 11:03:13 -0400

Source diff to previous version
CVE-2024-2511 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An atta
CVE-2024-4603 Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param
CVE-2024-4741 Use After Free with SSL_free_buffers
CVE-2024-5535 Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory con

Version: 3.0.13-0ubuntu3.1 2024-05-23 08:07:13 UTC

  openssl (3.0.13-0ubuntu3.1) noble-security; urgency=medium

  * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
    - debian/patches/openssl-pkcs1-implicit-rejection.patch:
      Return deterministic random output instead of an error in case
      there is a padding error in crypto/cms/cms_env.c,
      crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c,
      crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c,
      crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in,
      doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod,
      doc/man3/EVP_PKEY_decrypt.pod,
      doc/man3/RSA_padding_add_PKCS1_type_1.pod,
      doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod,
      include/crypto/rsa.h, include/openssl/core_names.h,
      include/openssl/rsa.h,
      providers/implementations/asymciphers/rsa_enc.c and
      test/recipes/30-test_evp_data/evppkey_rsa_common.txt.

 -- David Fernandez Gonzalez <email address hidden> Tue, 14 May 2024 11:06:27 +0200

2054090 Implicit rejection of PKCS#1 v1.5 RSA



About   -   Send Feedback to @ubuntu_updates