Date: Tue, 14 Dec 2021 19:11:55 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 6b9cf2b05cbc - main - security/vuxml: Document OpenSSL 3.0 vulnerability Message-ID: <202112141911.1BEJBt77092008@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=6b9cf2b05cbc4f00ed949e877beee3ec6c5ca592 commit 6b9cf2b05cbc4f00ed949e877beee3ec6c5ca592 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2021-12-14 19:11:53 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2021-12-14 19:11:53 +0000 security/vuxml: Document OpenSSL 3.0 vulnerability --- security/vuxml/vuln-2021.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 370da9897545..fc0c1bc5cdfe 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,45 @@ + <vuln vid="0132ca5b-5d11-11ec-8be6-d4c9ef517024"> + <topic>OpenSSL -- Certificate validation issue</topic> + <affects> + <package> + <name>openssl-devel</name> + <range><lt>3.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The OpenSSL project reports:</p> + <blockquote cite="https://www.openssl.org/news/secadv/20211214.txt">; + <p>Invalid handling of X509_verify_cert() internal errors in libssl + (Moderate)</p> + <p>Internally libssl in OpenSSL calls X509_verify_cert() on the client + side to verify a certificate supplied by a server. That function may + return a negative return value to indicate an internal error (for + example out of memory). Such a negative return value is mishandled by + OpenSSL and will cause an IO function (such as SSL_connect() or + SSL_do_handshake()) to not indicate success and a subsequent call to + SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. + This return value is only supposed to be returned by OpenSSL if the + application has previously called SSL_CTX_set_cert_verify_callback(). + Since most applications do not do this the + SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be + totally unexpected and applications may not behave correctly as a + result. The exact behaviour will depend on the application but it + could result in crashes, infinite loops or other similar incorrect + responses.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-4044</cvename> + <url>https://www.openssl.org/news/secadv/20211214.txt</url>; + </references> + <dates> + <discovery>2021-12-14</discovery> + <entry>2021-12-14</entry> + </dates> + </vuln> + <vuln vid="515df85a-5cd7-11ec-a16d-001517a2e1a4"> <topic>bastillion -- log4j vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112141911.1BEJBt77092008>