-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2024-b002585dd2 2024-05-01 00:36:35.235047 --------------------------------------------------------------------------------
Name : openssl3 Product : Fedora EPEL 8 Version : 3.2.1 Release : 1.1.el8 URL : http://www.openssl.org/ Summary : Utilities from the general purpose cryptography library with TLS implementation Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.
-------------------------------------------------------------------------------- Update Information:
Merge in changes from c9s' openssl to pick up various CVE fixes and other bugfixes -------------------------------------------------------------------------------- ChangeLog:
* Mon Apr 22 2024 Michel Lind salimma@fedoraproject.org - 3.2.1-1.1 - Merge c9s openssl changes to pick up CVE fixes * Wed Apr 3 2024 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.2.1-1 - Rebasing OpenSSL to 3.2.1 Resolves: RHEL-26271 * Wed Feb 21 2024 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-27 - Use certified FIPS module instead of freshly built one in Red Hat distribution Related: RHEL-23474 * Tue Nov 21 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-26 - Avoid implicit function declaration when building openssl Related: RHEL-1780 - In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails Resolves: RHEL-17104 - Add a directory for OpenSSL providers configuration Resolves: RHEL-17193 - Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context Resolves: RHEL-19515 - POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) Resolves: RHEL-21151 - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Resolves: RHEL-21654 - SSL ECDHE Kex fails when pkcs11 engine is set in config file Resolves: RHEL-20249 - Denial of service via null dereference in PKCS#12 Resolves: RHEL-22486 - Use certified FIPS module instead of freshly built one in Red Hat distribution Resolves: RHEL-23474 * Mon Oct 16 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 - Don't limit using SHA1 in KDFs in non-FIPS mode. Resolves: RHEL-5295 - Provide empty evp_properties section in main OpenSSL configuration file Resolves: RHEL-11439 - Avoid implicit function declaration when building openssl Resolves: RHEL-1780 - Forbid explicit curves when created via EVP_PKEY_fromdata Resolves: RHEL-5304 - AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries (CVE-2023-2975) Resolves: RHEL-5302 - Excessive time spent checking DH keys and parameters (CVE-2023-3446) Resolves: RHEL-5306 - Excessive time spent checking DH q parameter value (CVE-2023-3817) Resolves: RHEL-5308 - Fix incorrect cipher key and IV length processing (CVE-2023-5363) Resolves: RHEL-13251 - Switch explicit FIPS indicator for RSA-OAEP to approved following clarification with CMVP Resolves: RHEL-14083 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) Resolves: RHEL-14083 - Add missing ECDH Public Key Check in FIPS mode Resolves: RHEL-15990 - Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) Resolves: RHEL-15954 * Wed Jul 12 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly Related: rhbz#2216256 * Tue Jul 11 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-23 - Add a workaround for lack of EMS in FIPS mode Resolves: rhbz#2216256 * Thu Jul 6 2023 Sahana Prasad sahana@redhat.com - 1:3.0.7-22 - Remove unsupported curves from nist_curves. Resolves: rhbz#2069336 * Mon Jun 26 2023 Sahana Prasad sahana@redhat.com - 1:3.0.7-21 - Remove the listing of brainpool curves in FIPS mode. Related: rhbz#2188180 * Tue May 30 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-20 - Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650 - Release the DRBG in global default libctx early Resolves: rhbz#2211340 * Mon May 22 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-19 - Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode Resolves: rhbz#2169757 * Thu May 18 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-18 - Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode Resolves: rhbz#2160797 * Tue May 9 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-17 - Enforce using EMS in FIPS mode - better alerts Related: rhbz#2157951 * Tue May 2 2023 Sahana Prasad sahana@redhat.com - 1:3.0.7-16 - Upload new upstream sources without manually hobbling them. - Remove the hobbling script as it is redundant. It is now allowed to ship the sources of patented EC curves, however it is still made unavailable to use by compiling with the 'no-ec2m' Configure option. The additional forbidden curves such as P-160, P-192, wap-tls curves are manually removed by updating 0011-Remove-EC-curves.patch. - Enable Brainpool curves. - Apply the changes to ec_curve.c and ectest.c as a new patch 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. Resolves: rhbz#2130618, rhbz#2188180 * Fri Apr 28 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-15 - Backport implicit rejection for RSA PKCS#1 v1.5 encryption Resolves: rhbz#2153471 * Fri Apr 21 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-14 - Input buffer over-read in AES-XTS implementation on 64 bit ARM Resolves: rhbz#2188554 * Tue Apr 18 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-13 - Enforce using EMS in FIPS mode Resolves: rhbz#2157951 - Fix excessive resource usage in verifying X509 policy constraints Resolves: rhbz#2186661 - Fix invalid certificate policies in leaf certificates check Resolves: rhbz#2187429 - Certificate policy check not enabled Resolves: rhbz#2187431 - OpenSSL rsa_verify_recover key length checks in FIPS mode Resolves: rhbz#2186819 * Fri Mar 24 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved Resolves: rhbz#2179379 * Mon Mar 20 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-11 - Add missing reference to patchfile to add explicit FIPS indicator to RSA encryption and RSASVE and fix the gettable parameter list for the RSA asymmetric cipher implementation. Resolves: rhbz#2179379 * Fri Mar 17 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-10 - Add explicit FIPS indicator to RSA encryption and RSASVE Resolves: rhbz#2179379 * Thu Mar 16 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-9 - Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes Resolves: rhbz#2175864 * Thu Mar 16 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-8 - Fix Wpointer-sign compiler warning Resolves: rhbz#2178034 * Tue Mar 14 2023 Clemens Lang cllang@redhat.com - 1:3.0.7-7 - Add explicit FIPS indicators to key derivation functions Resolves: rhbz#2175860 rhbz#2175864 - Zeroize FIPS module integrity check MAC after check Resolves: rhbz#2175873 - Add explicit FIPS indicator for IV generation in AES-GCM Resolves: rhbz#2175868 - Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test Resolves: rhbz#2178137 - Limit RSA_NO_PADDING for encryption and signature in FIPS mode Resolves: rhbz#2178029 - Pairwise consistency tests should use Digest+Sign/Verify Resolves: rhbz#2178034 - Forbid DHX keys import in FIPS mode Resolves: rhbz#2178030 - DH PCT should abort on failure Resolves: rhbz#2178039 - Increase RNG seeding buffer size to 32 Related: rhbz#2168224 * Wed Mar 8 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode Resolves: rhbz#2168224 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2182590 - CVE-2023-0465 openssl3: openssl: Invalid certificate policies in leaf certificates are silently ignored [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2182590 [ 2 ] Bug #2182602 - CVE-2023-0466 openssl3: openssl: Certificate policy check not enabled [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2182602 [ 3 ] Bug #2188526 - CVE-2023-1255 openssl3: openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2188526 [ 4 ] Bug #2211109 - CVE-2023-2650 openssl3: openssl: Possible DoS translating ASN.1 object identifiers [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2211109 [ 5 ] Bug #2223821 - TRIAGE-CVE-2023-2975 openssl3: openSSL: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2223821 [ 6 ] Bug #2228050 - CVE-2023-3817 openssl3: OpenSSL: Excessive time spent checking DH q parameter value [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2228050 [ 7 ] Bug #2248621 - CVE-2023-5678 openssl3: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2248621 [ 8 ] Bug #2249063 - CVE-2023-5363 openssl3: openssl: Incorrect cipher key and IV length processing [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2249063 [ 9 ] Bug #2257573 - CVE-2023-6129 openssl3: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2257573 [ 10 ] Bug #2258505 - CVE-2023-6237 openssl3: openssl: Excessive time spent checking invalid RSA public keys [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2258505 [ 11 ] Bug #2276143 - openssl3 epel-8 SIGILL on ppc64le Power8 https://bugzilla.redhat.com/show_bug.cgi?id=2276143 --------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use su -c 'yum update openssl3' at the command line. For more information, refer to "YUM", available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7%5C /html/System_Administrators_Guide/ch-yum.html
All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
epel-package-announce@lists.fedoraproject.org