--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2024-b002585dd2
2024-05-01 00:36:35.235047
--------------------------------------------------------------------------------
Name : openssl3
Product : Fedora EPEL 8
Version : 3.2.1
Release : 1.1.el8
URL :
http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS
implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
--------------------------------------------------------------------------------
Update Information:
Merge in changes from c9s' openssl to pick up various CVE fixes and other
bugfixes
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 22 2024 Michel Lind <salimma(a)fedoraproject.org> - 3.2.1-1.1
- Merge c9s openssl changes to pick up CVE fixes
* Wed Apr 3 2024 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.2.1-1
- Rebasing OpenSSL to 3.2.1
Resolves: RHEL-26271
* Wed Feb 21 2024 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-27
- Use certified FIPS module instead of freshly built one in Red Hat distribution
Related: RHEL-23474
* Tue Nov 21 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-26
- Avoid implicit function declaration when building openssl
Related: RHEL-1780
- In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails
Resolves: RHEL-17104
- Add a directory for OpenSSL providers configuration
Resolves: RHEL-17193
- Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context
Resolves: RHEL-19515
- POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
Resolves: RHEL-21151
- Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
Resolves: RHEL-21654
- SSL ECDHE Kex fails when pkcs11 engine is set in config file
Resolves: RHEL-20249
- Denial of service via null dereference in PKCS#12
Resolves: RHEL-22486
- Use certified FIPS module instead of freshly built one in Red Hat distribution
Resolves: RHEL-23474
* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-25
- Provide relevant diagnostics when FIPS checksum is corrupted
Resolves: RHEL-5317
- Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295
- Provide empty evp_properties section in main OpenSSL configuration file
Resolves: RHEL-11439
- Avoid implicit function declaration when building openssl
Resolves: RHEL-1780
- Forbid explicit curves when created via EVP_PKEY_fromdata
Resolves: RHEL-5304
- AES-SIV cipher implementation contains a bug that causes it to ignore empty
associated data entries (CVE-2023-2975)
Resolves: RHEL-5302
- Excessive time spent checking DH keys and parameters (CVE-2023-3446)
Resolves: RHEL-5306
- Excessive time spent checking DH q parameter value (CVE-2023-3817)
Resolves: RHEL-5308
- Fix incorrect cipher key and IV length processing (CVE-2023-5363)
Resolves: RHEL-13251
- Switch explicit FIPS indicator for RSA-OAEP to approved following
clarification with CMVP
Resolves: RHEL-14083
- Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
Resolves: RHEL-14083
- Add missing ECDH Public Key Check in FIPS mode
Resolves: RHEL-15990
- Excessive time spent in DH check/generation with large Q parameter value
(CVE-2023-5678)
Resolves: RHEL-15954
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-24
- Make FIPS module configuration more crypto-policies friendly
Related: rhbz#2216256
* Tue Jul 11 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-23
- Add a workaround for lack of EMS in FIPS mode
Resolves: rhbz#2216256
* Thu Jul 6 2023 Sahana Prasad <sahana(a)redhat.com> - 1:3.0.7-22
- Remove unsupported curves from nist_curves.
Resolves: rhbz#2069336
* Mon Jun 26 2023 Sahana Prasad <sahana(a)redhat.com> - 1:3.0.7-21
- Remove the listing of brainpool curves in FIPS mode.
Related: rhbz#2188180
* Tue May 30 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-20
- Fix possible DoS translating ASN.1 object identifiers
Resolves: CVE-2023-2650
- Release the DRBG in global default libctx early
Resolves: rhbz#2211340
* Mon May 22 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-19
- Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation
in FIPS mode
Resolves: rhbz#2169757
* Thu May 18 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-18
- Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
Resolves: rhbz#2160797
* Tue May 9 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-17
- Enforce using EMS in FIPS mode - better alerts
Related: rhbz#2157951
* Tue May 2 2023 Sahana Prasad <sahana(a)redhat.com> - 1:3.0.7-16
- Upload new upstream sources without manually hobbling them.
- Remove the hobbling script as it is redundant. It is now allowed to ship
the sources of patented EC curves, however it is still made unavailable to use
by compiling with the 'no-ec2m' Configure option. The additional forbidden
curves such as P-160, P-192, wap-tls curves are manually removed by updating
0011-Remove-EC-curves.patch.
- Enable Brainpool curves.
- Apply the changes to ec_curve.c and ectest.c as a new patch
0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
Resolves: rhbz#2130618, rhbz#2188180
* Fri Apr 28 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-15
- Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Resolves: rhbz#2153471
* Fri Apr 21 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-14
- Input buffer over-read in AES-XTS implementation on 64 bit ARM
Resolves: rhbz#2188554
* Tue Apr 18 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-13
- Enforce using EMS in FIPS mode
Resolves: rhbz#2157951
- Fix excessive resource usage in verifying X509 policy constraints
Resolves: rhbz#2186661
- Fix invalid certificate policies in leaf certificates check
Resolves: rhbz#2187429
- Certificate policy check not enabled
Resolves: rhbz#2187431
- OpenSSL rsa_verify_recover key length checks in FIPS mode
Resolves: rhbz#2186819
* Fri Mar 24 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-12
- Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379
* Mon Mar 20 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-11
- Add missing reference to patchfile to add explicit FIPS indicator to RSA
encryption and RSASVE and fix the gettable parameter list for the RSA
asymmetric cipher implementation.
Resolves: rhbz#2179379
* Fri Mar 17 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-10
- Add explicit FIPS indicator to RSA encryption and RSASVE
Resolves: rhbz#2179379
* Thu Mar 16 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-9
- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
Resolves: rhbz#2175864
* Thu Mar 16 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-8
- Fix Wpointer-sign compiler warning
Resolves: rhbz#2178034
* Tue Mar 14 2023 Clemens Lang <cllang(a)redhat.com> - 1:3.0.7-7
- Add explicit FIPS indicators to key derivation functions
Resolves: rhbz#2175860 rhbz#2175864
- Zeroize FIPS module integrity check MAC after check
Resolves: rhbz#2175873
- Add explicit FIPS indicator for IV generation in AES-GCM
Resolves: rhbz#2175868
- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
salt in PBKDF2 FIPS self-test
Resolves: rhbz#2178137
- Limit RSA_NO_PADDING for encryption and signature in FIPS mode
Resolves: rhbz#2178029
- Pairwise consistency tests should use Digest+Sign/Verify
Resolves: rhbz#2178034
- Forbid DHX keys import in FIPS mode
Resolves: rhbz#2178030
- DH PCT should abort on failure
Resolves: rhbz#2178039
- Increase RNG seeding buffer size to 32
Related: rhbz#2168224
* Wed Mar 8 2023 Dmitry Belyavskiy <dbelyavs(a)redhat.com> - 1:3.0.7-6
- Fixes RNG slowdown in FIPS mode
Resolves: rhbz#2168224
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2182590 - CVE-2023-0465 openssl3: openssl: Invalid certificate policies in
leaf certificates are silently ignored [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2182590
[ 2 ] Bug #2182602 - CVE-2023-0466 openssl3: openssl: Certificate policy check not
enabled [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2182602
[ 3 ] Bug #2188526 - CVE-2023-1255 openssl3: openssl: Input buffer over-read in AES-XTS
implementation on 64 bit ARM [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2188526
[ 4 ] Bug #2211109 - CVE-2023-2650 openssl3: openssl: Possible DoS translating ASN.1
object identifiers [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2211109
[ 5 ] Bug #2223821 - TRIAGE-CVE-2023-2975 openssl3: openSSL: AES-SIV cipher
implementation contains a bug that causes it to ignore empty associated data entries
[epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2223821
[ 6 ] Bug #2228050 - CVE-2023-3817 openssl3: OpenSSL: Excessive time spent checking DH q
parameter value [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2228050
[ 7 ] Bug #2248621 - CVE-2023-5678 openssl3: openssl: Generating excessively long X9.42
DH keys or checking excessively long X9.42 DH keys or parameters may be very slow
[epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2248621
[ 8 ] Bug #2249063 - CVE-2023-5363 openssl3: openssl: Incorrect cipher key and IV length
processing [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2249063
[ 9 ] Bug #2257573 - CVE-2023-6129 openssl3: openssl: POLY1305 MAC implementation
corrupts vector registers on PowerPC [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2257573
[ 10 ] Bug #2258505 - CVE-2023-6237 openssl3: openssl: Excessive time spent checking
invalid RSA public keys [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2258505
[ 11 ] Bug #2276143 - openssl3 epel-8 SIGILL on ppc64le Power8
https://bugzilla.redhat.com/show_bug.cgi?id=2276143
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update openssl3' at the command line.
For more information, refer to "YUM", available at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7\
/html/System_Administrators_Guide/ch-yum.html
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------