Date: Tue, 7 Feb 2023 19:54:01 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 43ba1e9c8da6 - main - security/vuxml: Document new OpenSSL vulnerabilities Message-ID: <202302071954.317Js1ho006685@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80 commit 43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2023-02-07 19:53:59 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2023-02-07 19:53:59 +0000 security/vuxml: Document new OpenSSL vulnerabilities --- security/vuxml/vuln/2023.xml | 96 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index d1f49c49a55d..f5afecca995b 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,99 @@ + <vuln vid="648a432c-a71f-11ed-86e9-d4c9ef517024"> + <topic>OpenSSL -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>openssl</name> + <range><lt>1.1.1t,1</lt></range> + </package> + <package> + <name>openssl-devel</name> + <range><lt>3.0.8</lt></range> + </package> + <package> + <name>openssl-quictls</name> + <range><lt>3.0.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The OpenSSL project reports:</p> + <blockquote cite="https://www.openssl.org/news/secadv/20230207.txt">; + <p>X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High): + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but + the public structure definition for GENERAL_NAME incorrectly specified the type + of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by + the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an + ASN1_STRING.</p> + <p>Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate): + A timing based side channel exists in the OpenSSL RSA Decryption implementation + which could be sufficient to recover a plaintext across a network in a + Bleichenbacher style attack. To achieve a successful decryption an attacker + would have to be able to send a very large number of trial messages for + decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, + RSA-OEAP and RSASVE.</p> + <p>X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate): + A read buffer overrun can be triggered in X.509 certificate verification, + specifically in name constraint checking. Note that this occurs + after certificate chain signature verification and requires either a + CA to have signed the malicious certificate or for the application to + continue certificate verification despite failure to construct a path + to a trusted issuer.</p> + <p>Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate): + The public API function BIO_new_NDEF is a helper function used for streaming + ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the + SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by + end user applications.</p> + <p>Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate): + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. + If the function succeeds then the "name_out", "header" and "data" arguments are + populated with pointers to buffers containing the relevant decoded data. The + caller is responsible for freeing those buffers. It is possible to construct a + PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() + will return a failure code but will populate the header argument with a pointer + to a buffer that has already been freed. If the caller also frees this buffer + then a double free will occur. This will most likely lead to a crash. This + could be exploited by an attacker who has the ability to supply malicious PEM + files for parsing to achieve a denial of service attack.</p> + <p>Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate): + An invalid pointer dereference on read can be triggered when an + application tries to load malformed PKCS7 data with the + d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.</p> + <p>NULL dereference validating DSA public key (CVE-2023-0217) (Moderate): + An invalid pointer dereference on read can be triggered when an + application tries to check a malformed DSA public key by the + EVP_PKEY_public_check() function. This will most likely lead + to an application crash. This function can be called on public + keys supplied from untrusted sources which could allow an attacker + to cause a denial of service attack.</p> + <p>NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate): + A NULL pointer can be dereferenced when signatures are being + verified on PKCS7 signed or signedAndEnveloped data. In case the hash + algorithm used for the signature is known to the OpenSSL library but + the implementation of the hash algorithm is not available the digest + initialization will fail. There is a missing check for the return + value from the initialization function which later leads to invalid + usage of the digest API most likely leading to a crash.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-0286</cvename> + <cvename>CVE-2022-4304</cvename> + <cvename>CVE-2022-4203</cvename> + <cvename>CVE-2023-0215</cvename> + <cvename>CVE-2022-4450</cvename> + <cvename>CVE-2023-0216</cvename> + <cvename>CVE-2023-0401</cvename> + <url>https://www.openssl.org/news/secadv/20230207.txt</url>; + </references> + <dates> + <discovery>2023-02-07</discovery> + <entry>2023-02-07</entry> + </dates> + </vuln> + <vuln vid="c49a880d-a5bb-11ed-aab5-080027de9982"> <topic>Django -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302071954.317Js1ho006685>