Type: | SECURITY |
Severity: | LOW |
Release Date: | 2024-11-14 |
openssl
[1:3.2.2-6.0.1]
- Enable openssl-fips-provider dependency [Orabug: 36504822]
- Temporary disable openssl-fips-provider dependency [Orabug: 36504822]
- Replace upstream references [Orabug: 34340177]
[1:3.2.2-6]
- rebuilt
Related: RHEL-55339
[1:3.2.2-5]
- Fix CVE-2024-6119: Possible denial of service in X.509 name checks
Resolves: RHEL-55339
[1:3.2.2-4]
- Fix CVE-2024-5535: SSL_select_next_proto buffer overread
Resolves: RHEL-45657
[1:3.2.2-3]
- Replace HKDF backward compatibility patch with the official one
Related: RHEL-40823
[1:3.2.2-2]
- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
Resolves: RHEL-40823
[1:3.2.2-1]
- Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741,
and Minerva attack.
Resolves: RHEL-32148
Resolves: RHEL-36792
Resolves: RHEL-38514
Resolves: RHEL-39111
[1:3.2.1-2]
- Update RNG changing for FIPS purpose
Resolves: RHEL-35380
[1:3.2.1-1]
- Rebasing OpenSSL to 3.2.1
Resolves: RHEL-26271
[1:3.0.7-27]
- Use certified FIPS module instead of freshly built one in Red Hat distribution
Related: RHEL-23474
[1:3.0.7-26]
- Avoid implicit function declaration when building openssl
Related: RHEL-1780
- In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails
Resolves: RHEL-17104
- Add a directory for OpenSSL providers configuration
Resolves: RHEL-17193
- Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context
Resolves: RHEL-19515
- POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
Resolves: RHEL-21151
- Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
Resolves: RHEL-21654
- SSL ECDHE Kex fails when pkcs11 engine is set in config file
Resolves: RHEL-20249
- Denial of service via null dereference in PKCS#12
Resolves: RHEL-22486
- Use certified FIPS module instead of freshly built one in Red Hat distribution
Resolves: RHEL-23474
[1:3.0.7-25]
- Provide relevant diagnostics when FIPS checksum is corrupted
Resolves: RHEL-5317
- Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295
- Provide empty evp_properties section in main OpenSSL configuration file
Resolves: RHEL-11439
- Avoid implicit function declaration when building openssl
Resolves: RHEL-1780
- Forbid explicit curves when created via EVP_PKEY_fromdata
Resolves: RHEL-5304
- AES-SIV cipher implementation contains a bug that causes it to ignore empty
associated data entries (CVE-2023-2975)
Resolves: RHEL-5302
- Excessive time spent checking DH keys and parameters (CVE-2023-3446)
Resolves: RHEL-5306
- Excessive time spent checking DH q parameter value (CVE-2023-3817)
Resolves: RHEL-5308
- Fix incorrect cipher key and IV length processing (CVE-2023-5363)
Resolves: RHEL-13251
- Switch explicit FIPS indicator for RSA-OAEP to approved following
clarification with CMVP
Resolves: RHEL-14083
- Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
Resolves: RHEL-14083
- Add missing ECDH Public Key Check in FIPS mode
Resolves: RHEL-15990
- Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678)
Resolves: RHEL-15954
[1:3.0.7-24]
- Make FIPS module configuration more crypto-policies friendly
Related: rhbz#2216256
[1:3.0.7-23]
- Add a workaround for lack of EMS in FIPS mode
Resolves: rhbz#2216256
[1:3.0.7-22]
- Remove unsupported curves from nist_curves.
Resolves: rhbz#2069336
[1:3.0.7-21]
- Remove the listing of brainpool curves in FIPS mode.
Related: rhbz#2188180
[1:3.0.7-20]
- Fix possible DoS translating ASN.1 object identifiers
Resolves: CVE-2023-2650
- Release the DRBG in global default libctx early
Resolves: rhbz#2211340
[1:3.0.7-19]
- Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode
Resolves: rhbz#2169757
[1:3.0.7-18]
- Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
Resolves: rhbz#2160797
[1:3.0.7-17]
- Enforce using EMS in FIPS mode - better alerts
Related: rhbz#2157951
[1:3.0.7-16]
- Upload new upstream sources without manually hobbling them.
- Remove the hobbling script as it is redundant. It is now allowed to ship
the sources of patented EC curves, however it is still made unavailable to use
by compiling with the 'no-ec2m' Configure option. The additional forbidden
curves such as P-160, P-192, wap-tls curves are manually removed by updating
0011-Remove-EC-curves.patch.
- Enable Brainpool curves.
- Apply the changes to ec_curve.c and ectest.c as a new patch
0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
Resolves: rhbz#2130618, rhbz#2188180
[1:3.0.7-15]
- Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Resolves: rhbz#2153471
[1:3.0.7-14]
- Input buffer over-read in AES-XTS implementation on 64 bit ARM
Resolves: rhbz#2188554
[1:3.0.7-13]
- Enforce using EMS in FIPS mode
Resolves: rhbz#2157951
- Fix excessive resource usage in verifying X509 policy constraints
Resolves: rhbz#2186661
- Fix invalid certificate policies in leaf certificates check
Resolves: rhbz#2187429
- Certificate policy check not enabled
Resolves: rhbz#2187431
- OpenSSL rsa_verify_recover key length checks in FIPS mode
Resolves: rhbz#2186819
[1:3.0.7-12]
- Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379
[1:3.0.7-11]
- Add missing reference to patchfile to add explicit FIPS indicator to RSA
encryption and RSASVE and fix the gettable parameter list for the RSA
asymmetric cipher implementation.
Resolves: rhbz#2179379
[1:3.0.7-10]
- Add explicit FIPS indicator to RSA encryption and RSASVE
Resolves: rhbz#2179379
[1:3.0.7-9]
- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
Resolves: rhbz#2175864
[1:3.0.7-8]
- Fix Wpointer-sign compiler warning
Resolves: rhbz#2178034
[1:3.0.7-7]
- Add explicit FIPS indicators to key derivation functions
Resolves: rhbz#2175860 rhbz#2175864
- Zeroize FIPS module integrity check MAC after check
Resolves: rhbz#2175873
- Add explicit FIPS indicator for IV generation in AES-GCM
Resolves: rhbz#2175868
- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
salt in PBKDF2 FIPS self-test
Resolves: rhbz#2178137
- Limit RSA_NO_PADDING for encryption and signature in FIPS mode
Resolves: rhbz#2178029
- Pairwise consistency tests should use Digest+Sign/Verify
Resolves: rhbz#2178034
- Forbid DHX keys import in FIPS mode
Resolves: rhbz#2178030
- DH PCT should abort on failure
Resolves: rhbz#2178039
- Increase RNG seeding buffer size to 32
Related: rhbz#2168224
[1:3.0.7-6]
- Fixes RNG slowdown in FIPS mode
Resolves: rhbz#2168224
[1:3.0.7-5]
- Fixed X.509 Name Constraints Read Buffer Overflow
Resolves: CVE-2022-4203
- Fixed Timing Oracle in RSA Decryption
Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex
Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF
Resolves: CVE-2023-0215
- Fixed Invalid pointer dereference in d2i_PKCS7 functions
Resolves: CVE-2023-0216
- Fixed NULL dereference validating DSA public key
Resolves: CVE-2023-0217
- Fixed X.400 address type confusion in X.509 GeneralName
Resolves: CVE-2023-0286
- Fixed NULL dereference during PKCS7 data verification
Resolves: CVE-2023-0401
[1:3.0.7-4]
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
Resolves: rhbz#2142121
[1:3.0.7-3]
- Refactor OpenSSL fips module MAC verification
Resolves: rhbz#2157965
[1:3.0.7-2]
- Various provider-related imrovements necessary for PKCS#11 provider correct operations
Resolves: rhbz#2142517
- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
Resolves: rhbz#2133809
- Removed recommended package for openssl-libs
Resolves: rhbz#2093804
- Adjusting include for the FIPS_mode macro
Resolves: rhbz#2083879
- Backport of ppc64le Montgomery multiply enhancement
Resolves: rhbz#2130708
- Fix explicit indicator for PSS salt length in FIPS mode when used with
negative magic values
Resolves: rhbz#2142087
- Update change to default PSS salt length with patch state from upstream
Related: rhbz#2142087
[1:3.0.7-1]
- Rebasing to OpenSSL 3.0.7
Resolves: rhbz#2129063
[1:3.0.1-44]
- SHAKE-128/256 are not allowed with RSA in FIPS mode
Resolves: rhbz#2144010
- Avoid memory leaks in TLS
Resolves: rhbz#2144008
- FIPS RSA CRT tests must use correct parameters
Resolves: rhbz#2144006
- FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
Resolves: rhbz#2144017
- Remove support for X9.31 signature padding in FIPS mode
Resolves: rhbz#2144015
- Add explicit indicator for SP 800-108 KDFs with short key lengths
Resolves: rhbz#2144019
- Add explicit indicator for HMAC with short key lengths
Resolves: rhbz#2144000
- Set minimum password length for PBKDF2 in FIPS mode
Resolves: rhbz#2144003
- Add explicit indicator for PSS salt length in FIPS mode
Resolves: rhbz#2144012
- Clamp default PSS salt length to digest size for FIPS 186-4 compliance
Related: rhbz#2144012
- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
Resolves: rhbz#2145170
[1:3.0.1-43]
- CVE-2022-3602: X.509 Email Address Buffer Overflow
- CVE-2022-3786: X.509 Email Address Buffer Overflow
Resolves: CVE-2022-3602
openssl-fips-provider
[3.0.7-6.0.1]
- Drop OpenELA branding [Orabug: 37274593]
- Add bundle with Oracle Linux 9 OpenSSL FIPS Provider module files [Orabug: 37274593]
- Update extract-src.sh script to support non-hobbled openssl tarball [Orabug: 37274593]
[3.0.7.openela.0.1]
- Add OpenELA specific changes
[3.0.7-6]
- Try to fix an upgrade issue with pkg version numbers
Resolves: RHEL-58662
[3.0.7-5]
- Add an empty metapackage and proper requires to correctly
handle upgrades.
Related: RHEL-32123
[3.0.7-4]
- Change subpackage names to avoid build gating issues
Related: RHEL-32123
[3.0.7-3]
- Change tarball source contents
- Rework file extraction process
- Fixes debug packages
Resolves: RHEL-32123
CVE-2024-4741 |
CVE-2024-2511 |
CVE-2024-5535 |
CVE-2024-4603 |
Release/Architecture | Filename | MD5sum | Superseded By Advisory | Channel Label |
Oracle Linux 9 (aarch64) | openssl-3.2.2-6.0.1.el9_5.src.rpm | 745f53be17e3366f646842ce6cf33a0c | - | ol9_aarch64_appstream |
openssl-3.2.2-6.0.1.el9_5.src.rpm | 745f53be17e3366f646842ce6cf33a0c | - | ol9_aarch64_baseos_latest | |
openssl-3.2.2-6.0.1.el9_5.src.rpm | 745f53be17e3366f646842ce6cf33a0c | - | ol9_aarch64_u5_baseos_base | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.src.rpm | cd6d377e2a62aa66504f2193330e7842 | - | ol9_aarch64_baseos_latest | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.src.rpm | cd6d377e2a62aa66504f2193330e7842 | - | ol9_aarch64_u5_baseos_base | |
openssl-3.2.2-6.0.1.el9_5.aarch64.rpm | 8ce23a344939fd74a8817e6079f67ea9 | - | ol9_aarch64_baseos_latest | |
openssl-3.2.2-6.0.1.el9_5.aarch64.rpm | 8ce23a344939fd74a8817e6079f67ea9 | - | ol9_aarch64_u5_baseos_base | |
openssl-devel-3.2.2-6.0.1.el9_5.aarch64.rpm | e63bbd4b0002bd2ff1af1c77f0bf0867 | - | ol9_aarch64_appstream | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.aarch64.rpm | 37618279d5de98ee1dab2df3ef75c582 | - | ol9_aarch64_baseos_latest | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.aarch64.rpm | 37618279d5de98ee1dab2df3ef75c582 | - | ol9_aarch64_u5_baseos_base | |
openssl-fips-provider-so-3.0.7-6.0.1.el9_5.aarch64.rpm | 804ece4bc089318ae73e8c78567f5f51 | - | ol9_aarch64_baseos_latest | |
openssl-fips-provider-so-3.0.7-6.0.1.el9_5.aarch64.rpm | 804ece4bc089318ae73e8c78567f5f51 | - | ol9_aarch64_u5_baseos_base | |
openssl-libs-3.2.2-6.0.1.el9_5.aarch64.rpm | 24108ed184949a29a1fc25243b3b44a7 | - | ol9_aarch64_baseos_latest | |
openssl-libs-3.2.2-6.0.1.el9_5.aarch64.rpm | 24108ed184949a29a1fc25243b3b44a7 | - | ol9_aarch64_u5_baseos_base | |
openssl-perl-3.2.2-6.0.1.el9_5.aarch64.rpm | e0da7c5627c8501db3f0be4471013cfa | - | ol9_aarch64_appstream | |
Oracle Linux 9 (x86_64) | openssl-3.2.2-6.0.1.el9_5.src.rpm | 745f53be17e3366f646842ce6cf33a0c | - | ol9_x86_64_appstream |
openssl-3.2.2-6.0.1.el9_5.src.rpm | 745f53be17e3366f646842ce6cf33a0c | - | ol9_x86_64_baseos_latest | |
openssl-3.2.2-6.0.1.el9_5.src.rpm | 745f53be17e3366f646842ce6cf33a0c | - | ol9_x86_64_u5_baseos_base | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.src.rpm | cd6d377e2a62aa66504f2193330e7842 | - | ol9_x86_64_baseos_latest | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.src.rpm | cd6d377e2a62aa66504f2193330e7842 | - | ol9_x86_64_u5_baseos_base | |
openssl-3.2.2-6.0.1.el9_5.x86_64.rpm | 72eb6bad543da03f08961eac7a47f40f | - | ol9_x86_64_baseos_latest | |
openssl-3.2.2-6.0.1.el9_5.x86_64.rpm | 72eb6bad543da03f08961eac7a47f40f | - | ol9_x86_64_u5_baseos_base | |
openssl-devel-3.2.2-6.0.1.el9_5.i686.rpm | 5ac5ca8a440dd3c872a67d313f57f48d | - | ol9_x86_64_appstream | |
openssl-devel-3.2.2-6.0.1.el9_5.x86_64.rpm | 9147901b4db475ae4b138fd9112ac0a8 | - | ol9_x86_64_appstream | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.i686.rpm | 81e1c6eb445d0e52f05e51e474fa6dcd | - | ol9_x86_64_baseos_latest | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.i686.rpm | 81e1c6eb445d0e52f05e51e474fa6dcd | - | ol9_x86_64_u5_baseos_base | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.x86_64.rpm | 7ae0f7ecf37884de3991b66a1914f2b5 | - | ol9_x86_64_baseos_latest | |
openssl-fips-provider-3.0.7-6.0.1.el9_5.x86_64.rpm | 7ae0f7ecf37884de3991b66a1914f2b5 | - | ol9_x86_64_u5_baseos_base | |
openssl-fips-provider-so-3.0.7-6.0.1.el9_5.x86_64.rpm | addbb398bc546e2f4e9fbcdacc9f0aba | - | ol9_x86_64_baseos_latest | |
openssl-fips-provider-so-3.0.7-6.0.1.el9_5.x86_64.rpm | addbb398bc546e2f4e9fbcdacc9f0aba | - | ol9_x86_64_u5_baseos_base | |
openssl-libs-3.2.2-6.0.1.el9_5.i686.rpm | db5cb20b02f14454d3674727f776454a | - | ol9_x86_64_baseos_latest | |
openssl-libs-3.2.2-6.0.1.el9_5.i686.rpm | db5cb20b02f14454d3674727f776454a | - | ol9_x86_64_u5_baseos_base | |
openssl-libs-3.2.2-6.0.1.el9_5.x86_64.rpm | 89c8799cc3f8ed5ed204011cf4445b30 | - | ol9_x86_64_baseos_latest | |
openssl-libs-3.2.2-6.0.1.el9_5.x86_64.rpm | 89c8799cc3f8ed5ed204011cf4445b30 | - | ol9_x86_64_u5_baseos_base | |
openssl-perl-3.2.2-6.0.1.el9_5.x86_64.rpm | 884e734505a78814807b7b6fe38ce435 | - | ol9_x86_64_appstream |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: