ELBA-2025-6314
- ULN >
- Oracle Linux Errata repository >
- ELBA-2025-6314
ELBA-2025-6314 - openssl bug fix and enhancement update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2025-06-09 |
Description
[3.2.2-16.0.1]
- Replace upstream references [Orabug: 34340177]
- Update FIPS provider name [Orabug: 35824276]
[1:3.2.2-16]
- Fix timing side-channel in ECDSA signature computation (CVE-2024-13176)
Resolves: RHEL-70879
- Load system default cipher string from crypto-policies configuration file
should ignore errors.
Related: RHEL-71132
- RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797)
Resolves: RHEL-76754
- Fix segfault on printing the temp key from s_client when connection is not established
Resolves: RHEL-79045
[1:3.2.2-15]
- Fix providers no_cache behavior
Resolves: RHEL-71903
- Fix pkcs12 command line segfault
Resolves: RHEL-70878
- Print key exchange group for hybrid PQC
Resolves: RHEL-66163
- Ensure correct fips.so checksum calculation
Resolves: RHEL-73170
- Locally configured providers should not interfere with openssl build-time tests
Resolves: RHEL-76182
- Load system default cipher string from crypto-policies configuration file
include /etc/crypto-policies/back-ends/opensslcnf.config and remove
/etc/crypto-policies/back-ends/openssl.config.
Resolves: RHEL-71132
[1:3.2.2-14]
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
[1:3.2.2-13]
- Ship dummy(empty) openssl/engine.h
Resolves: RHEL-58178
[1:3.2.2-12]
- Fix CVE-2024-6119: Possible denial of service in X.509 name checks
Resolves: RHEL-55303
[1:3.2.2-11]
- Fix CVE-2024-5535: SSL_select_next_proto buffer overread
Resolves: RHEL-45692
[1:3.2.2-10]
- Use PBMAC1 by default when creating PKCS#12 files in FIPS mode
Related: RHEL-36659
- Support key encapsulation/decapsulation in openssl pkeyutl command
Resolves: RHEL-54156
- Fix typo in the patch numeration
Related: RHEL-41261
- Enable KTLS, temporary disable KTLS tests
Related: RHEL-47335
- Speedup SSL_add_{file,dir}_cert_subjects_to_stack
Resolves: RHEL-54232
- Resolve SAST package scan results
Resolves: RHEL-37561
[1:3.2.2-9]
- An interface to create PKCS #12 files in FIPS compliant way
Related: RHEL-36659
[1:3.2.2-8]
- An interface to create PKCS #12 files in FIPS compliant way
Resolves: RHEL-36659
[1:3.2.2-7]
- Disallow SHA1 at SECLEVEL2 in OpenSSL
Resolves: RHEL-39962
- SHA-1 signature shouldn't work in normal mode
Resolves: RHEL-36677
[1:3.2.2-6]
- Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE
Resolves: RHEL-45704
[1:3.2.2-5]
- Replace HKDF backward compatibility patch with the official one
Related: RHEL-41261
[1:3.2.2-4]
- Bump release for June 2024 mass rebuild
[1:3.2.2-3]
- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
Resolves: RHEL-41261
[1:3.2.2-2]
- Build openssl with no-atexit
Resolves: RHEL-40408
[1:3.2.2-1]
- Rebase to OpenSSL 3.2.2.
Related: RHEL-31762
[1:3.2.1-4]
- Synchronize patches from c9s and Fedora
- Resolves: RHEL-31762
[1:3.2.1-3]
- Temporarily disable ktls to unblock c10s builds
- Resolves: RHEL-25259
[1:3.2.1-2]
- Fix version aliasing issue
- https://github.com/openssl/openssl/issues/23534
[1:3.2.1-1]
- Rebase to upstream version 3.2.1
[1:3.1.4-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
[1:3.1.4-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
[1:3.1.4-2]
- We don't want to ship openssl-pkcs11 in RHEL10/Centos 10
[1:3.1.4-1]
- Rebase to upstream version 3.1.4
[1:3.1.3-1]
- Rebase to upstream version 3.1.3
[1:3.1.1-4]
- Drop duplicated patch and do some contamination
[1:3.1.1-3]
- Integrate FIPS patches from CentOS
[1:3.1.1-2]
- migrated to SPDX license
[1:3.1.1-1]
- Rebase to upstream version 3.1.1
Resolves: CVE-2023-0464
Resolves: CVE-2023-0465
Resolves: CVE-2023-0466
Resolves: CVE-2023-1255
Resolves: CVE-2023-2650
[1:3.0.8-4]
- Forbid custom EC more completely
Resolves: rhbz#2223953
[1:3.0.8-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
[1:3.0.8-2]
- Upload new upstream sources without manually hobbling them.
- Remove the hobbling script as it is redundant. It is now allowed to ship
the sources of patented EC curves, however it is still made unavailable to use
by compiling with the 'no-ec2m' Configure option. The additional forbidden
curves such as P-160, P-192, wap-tls curves are manually removed by updating
0011-Remove-EC-curves.patch.
- Enable Brainpool curves.
- Apply the changes to ec_curve.c and ectest.c as a new patch
0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
Resolves: rhbz#2130618, rhbz#2141672
[1:3.0.8-1]
- Rebase to upstream version 3.0.8
Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401
[1:3.0.7-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
[1:3.0.7-3]
- Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Resolves: rhbz#2153470
[1:3.0.7-2]
- Refactor embedded mac verification in FIPS module
Resolves: rhbz#2156045
[1:3.0.7-1]
- Rebase to upstream version 3.0.7
- C99 compatibility in downstream-only 0032-Force-fips.patch
Resolves: rhbz#2152504
- Adjusting include for the FIPS_mode macro
Resolves: rhbz#2083876
[1:3.0.5-7]
- Backport patches to fix external providers compatibility issues
[1:3.0.5-6]
- CVE-2022-3602: X.509 Email Address Buffer Overflow
- CVE-2022-3786: X.509 Email Address Buffer Overflow
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
[1:3.0.5-5]
- Update patches to make ELN build happy
Resolves: rhbz#2123755
[1:3.0.5-4]
- Fix AES-GCM on Power 8 CPUs
Resolves: rhbz#2124845
[1:3.0.5-3]
- Sync patches with RHEL
Related: rhbz#2123755
[1:3.0.5-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
[1:3.0.5-1]
- Rebase to upstream version 3.0.5
Related: rhbz#2099972, CVE-2022-2097
[1:3.0.3-1]
- Rebase to upstream version 3.0.3
[1:3.0.2-5]
- Instrument with USDT probes related to SHA-1 deprecation
[1:3.0.2-4]
- Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes
to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy.
Related: rhbz#2069239
[1:3.0.2-4]
- Instrument with USDT probes related to SHA-1 deprecation
[1:3.0.2-3]
- Disable SHA-1 by default in ELN using the patches from CentOS
- Fix a FIXME in the openssl.cnf(5) manpage
[1:3.0.2-2]
- Silence a few rpmlint false positives.
[1:3.0.2-2]
- Allow disabling SHA1 signature creation and verification.
Set rh-allow-sha1-signatures = no to disable.
Allow SHA1 in TLS in SECLEVEL 1 if rh-allow-sha1-signatures = yes. This will
support SHA1 in TLS in the LEGACY crypto-policy.
Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
[1:3.0.2-1]
- Rebase to upstream version 3.0.2
[1:3.0.0-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
[1:3.0.0-1]
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
