ELSA-2021-9561

ELSA-2021-9561 - openssl security update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2021-11-23

Description

[1:1.1.1k-4]
- Fixes bugs in s390x AES code.
- Uses the first detected address family if IPv6 is not available
- Reverts the changes in https://github.com/openssl/openssl/pull/13305
as it introduces a regression if server has a DSA key pair, the handshake fails
when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted,
it has an effect on the 'ssl_reject_handshake' feature in nginx. Although, this feature
will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already
known - https://trac.nginx.org/nginx/ticket/2071#comment:1
As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
could early callback instead of servername callback.
- Resolves: rhbz#1978214
- Related: rhbz#1934534

[1:1.1.1k-3]
- Cleansup the peer point formats on renegotiation
- Resolves rhbz#1965362

[1:1.1.1k-2]
- Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085
- Using safe primes for FIPS DH self-test

[1.1.1k-1]
- Update to version 1.1.1k

[1.1.1g-16]
- Use AI_ADDRCONFIG only when explicit host name is given
- Allow only curves defined in RFC 8446 in TLS 1.3

Related CVEs

CVE-2021-23841

CVE-2021-23840

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 8 (aarch64)	openssl-1.1.1k-4.ksplice1.el8.src.rpm	2087493658607c58ad2e56d12f30bd2bda21c6cda73e1bf867ef1f44478cdb7a	-	ol8_aarch64_userspace_ksplice
	openssl-1.1.1k-4.ksplice1.el8.aarch64.rpm	8337bd3ddca16abd8afe99d263c014c368b994cd8ec3b4a228e8fffe7cabc6a3	-	ol8_aarch64_userspace_ksplice
	openssl-debugsource-1.1.1k-4.ksplice1.el8.aarch64.rpm	01ac23ea23a2ccb9bbf9aa84291ebe56fccd1432cde6e353e541f47e3e9f752f	-	ol8_aarch64_userspace_ksplice
	openssl-devel-1.1.1k-4.ksplice1.el8.aarch64.rpm	c64543b94aa6797a23aa7637e920dac822d1bf5320e2acd975d31b24fe3e20fd	-	ol8_aarch64_userspace_ksplice
	openssl-libs-1.1.1k-4.ksplice1.el8.aarch64.rpm	b6caaf3ca551af3174caa76748a752397427dd4b10c6f7de7985095fbb527f0c	-	ol8_aarch64_userspace_ksplice
	openssl-perl-1.1.1k-4.ksplice1.el8.aarch64.rpm	ce492d95607ffedfdc44e6c43c46813f4be3a5cc0e571b3b454dd2070d72e58a	-	ol8_aarch64_userspace_ksplice
	openssl-static-1.1.1k-4.ksplice1.el8.aarch64.rpm	87abbc9f2c365797c57ce209d30959ad3ad489d9b98f13f2189220fb66765d99	-	ol8_aarch64_userspace_ksplice
Oracle Linux 8 (x86_64)	openssl-1.1.1k-4.ksplice1.el8.src.rpm	19e388ecf6dd2ec2d3bc41c5a875c58603b2e963f178b34a9ae72fe502381236	-	ol8_x86_64_userspace_ksplice
	openssl-1.1.1k-4.ksplice1.el8.x86_64.rpm	33db897edc25065d74b07c9b9939647d340a50686d33421f1b52e816561c4838	-	ol8_x86_64_userspace_ksplice
	openssl-devel-1.1.1k-4.ksplice1.el8.i686.rpm	5b96f3db9fe0dec258a93d1aecee35f85f7ea7047895f137b7205f35541a5558	-	ol8_x86_64_userspace_ksplice
	openssl-devel-1.1.1k-4.ksplice1.el8.x86_64.rpm	40f0cf634bcfb959b7cf8bd7af46f18d227772b56676bc01c85fb11474846a67	-	ol8_x86_64_userspace_ksplice
	openssl-libs-1.1.1k-4.ksplice1.el8.i686.rpm	3d5e64b4c5f8445ea83d49783f3a7981d61565558644472d12b0542c229c692a	-	ol8_x86_64_userspace_ksplice
	openssl-libs-1.1.1k-4.ksplice1.el8.x86_64.rpm	2d27c0b6a7229a8fdb03795025d56259011b728cb3a62477d966c2869dbd6add	-	ol8_x86_64_userspace_ksplice
	openssl-perl-1.1.1k-4.ksplice1.el8.x86_64.rpm	82e7514bb5149391ccd0a872af743ef6f097e25f9b9f72a66fb4af401729db33	-	ol8_x86_64_userspace_ksplice

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team