ELSA-2023-12152

ELSA-2023-12152 - openssl security update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2023-03-01

Description

[3.0.1-47.0.1]
- Replace upstream references [Orabug: 34340177]

[1:3.0.1-47]
- Fixed X.509 Name Constraints Read Buffer Overflow
Resolves: CVE-2022-4203
- Fixed Timing Oracle in RSA Decryption
Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex
Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF
Resolves: CVE-2023-0215
- Fixed Invalid pointer dereference in d2i_PKCS7 functions
Resolves: CVE-2023-0216
- Fixed NULL dereference validating DSA public key
Resolves: CVE-2023-0217
- Fixed X.400 address type confusion in X.509 GeneralName
Resolves: CVE-2023-0286
- Fixed NULL dereference during PKCS7 data verification
Resolves: CVE-2023-0401

[1:3.0.1-46]
- Refactor OpenSSL fips module MAC verification
Resolves: rhbz#2158412
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
Resolves: rhbz#2144010

[1:3.0.1-45]
- Add support of X25519 and X448 'group' parameter in EVP_PKEY_CTX objects
Resolves: rhbz#2149010
- Fix explicit indicator for PSS salt length in FIPS mode when used with
negative magic values
Resolves: rhbz#2144012
- Update change to default PSS salt length with patch state from upstream
Related: rhbz#2144012

[1:3.0.1-44]
- SHAKE-128/256 are not allowed with RSA in FIPS mode
Resolves: rhbz#2144010
- Avoid memory leaks in TLS
Resolves: rhbz#2144008
- FIPS RSA CRT tests must use correct parameters
Resolves: rhbz#2144006
- FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
Resolves: rhbz#2144017
- Remove support for X9.31 signature padding in FIPS mode
Resolves: rhbz#2144015
- Add explicit indicator for SP 800-108 KDFs with short key lengths
Resolves: rhbz#2144019
- Add explicit indicator for HMAC with short key lengths
Resolves: rhbz#2144000
- Set minimum password length for PBKDF2 in FIPS mode
Resolves: rhbz#2144003
- Add explicit indicator for PSS salt length in FIPS mode
Resolves: rhbz#2144012
- Clamp default PSS salt length to digest size for FIPS 186-4 compliance
Related: rhbz#2144012
- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
Resolves: rhbz#2145170

Related CVEs

CVE-2023-0286

CVE-2022-4450

CVE-2023-0215

CVE-2022-4203

CVE-2022-4304

CVE-2023-0401

CVE-2023-0217

CVE-2023-0216

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	openssl-3.0.1-47.0.1.ksplice1.el9_1.src.rpm	7f94c52dc7fa46281f90bda1c9a37b155299d2bb57d3502c3d45ac24448891e2	-	ol9_aarch64_userspace_ksplice
	openssl-3.0.1-47.0.1.ksplice1.el9_1.aarch64.rpm	98fd26e4f1b05dbce9ace98753f48d3304f1b53a57994a88a72f6c5edd76a6a0	-	ol9_aarch64_userspace_ksplice
	openssl-devel-3.0.1-47.0.1.ksplice1.el9_1.aarch64.rpm	8744f536e5d854c064979755f752be130b8107a41d01384c23d76f4294b109d8	-	ol9_aarch64_userspace_ksplice
	openssl-libs-3.0.1-47.0.1.ksplice1.el9_1.aarch64.rpm	850920683792075510c80070ce3d914f92d856568866c5de784da952cf292f15	-	ol9_aarch64_userspace_ksplice
	openssl-perl-3.0.1-47.0.1.ksplice1.el9_1.aarch64.rpm	3e5e1bbf1eb3a937a047010c68332b75000c2a2108b0dc6fa0188015e993d72d	-	ol9_aarch64_userspace_ksplice
Oracle Linux 9 (x86_64)	openssl-3.0.1-47.0.1.ksplice1.el9_1.src.rpm	7f94c52dc7fa46281f90bda1c9a37b155299d2bb57d3502c3d45ac24448891e2	-	ol9_x86_64_userspace_ksplice
	openssl-3.0.1-47.0.1.ksplice1.el9_1.x86_64.rpm	86f886d7c90d9f98b45c2d8e285e0a2bb914355fc0a59c4d66ae4b9321646327	-	ol9_x86_64_userspace_ksplice
	openssl-devel-3.0.1-47.0.1.ksplice1.el9_1.i686.rpm	3b6f99692e3d7f1ba4305568a0c049ddfbb814b7798561d6925345ea37406df0	-	ol9_x86_64_userspace_ksplice
	openssl-devel-3.0.1-47.0.1.ksplice1.el9_1.x86_64.rpm	fc1e20995d87c2a68b1340e4a1ca849b9736d7cfe325b60b2419a48f5480ee9e	-	ol9_x86_64_userspace_ksplice
	openssl-libs-3.0.1-47.0.1.ksplice1.el9_1.i686.rpm	cc624e00b3bbe369c9909953c9fc4957e4866bfa736e954df374700e78e6a958	-	ol9_x86_64_userspace_ksplice
	openssl-libs-3.0.1-47.0.1.ksplice1.el9_1.x86_64.rpm	575ea5ea398ded67ccc8cf552414561faf7d3b51cdc95b6ae059d8498095909a	-	ol9_x86_64_userspace_ksplice
	openssl-perl-3.0.1-47.0.1.ksplice1.el9_1.x86_64.rpm	dd51fcec929c913593acfffc0c3a736c87f7906d188b4f3a7db2b23070647cb8	-	ol9_x86_64_userspace_ksplice

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team