Debian Bug report logs -
#1055473
openssl: CVE-2023-5678
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 6 Nov 2023 21:39:02 UTC
Severity: important
Tags: security, upstream
Found in versions openssl/3.0.12-1, openssl/3.0.11-1~deb12u2, openssl/3.0.11-1, openssl/3.0.11-1~deb12u1, openssl/1.1.1w-0+deb11u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
:
Bug#1055473
; Package src:openssl
.
(Mon, 06 Nov 2023 21:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
.
(Mon, 06 Nov 2023 21:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openssl
Version: 3.0.12-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 3.0.11-1
Control: found -1 3.0.11-1~deb12u1
Control: found -1 3.0.11-1~deb12u2
Control: found -1 1.1.1w-0+deb11u1
Hi,
The following vulnerability was published for openssl.
CVE-2023-5678[0]:
| Issue summary: Generating excessively long X9.42 DH keys or checking
| excessively long X9.42 DH keys or parameters may be very slow.
| Impact summary: Applications that use the functions
| DH_generate_key() to generate an X9.42 DH key may experience long
| delays. Likewise, applications that use DH_check_pub_key(),
| DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42
| DH key or X9.42 DH parameters may experience long delays. Where the
| key or parameters that are being checked have been obtained from an
| untrusted source this may lead to a Denial of Service. While
| DH_check() performs all the necessary checks (as of CVE-2023-3817),
| DH_check_pub_key() doesn't make any of these checks, and is
| therefore vulnerable for excessively large P and Q parameters.
| Likewise, while DH_generate_key() performs a check for an
| excessively large P, it doesn't check for an excessively large Q.
| An application that calls DH_generate_key() or DH_check_pub_key()
| and supplies a key or parameters obtained from an untrusted source
| could be vulnerable to a Denial of Service attack.
| DH_generate_key() and DH_check_pub_key() are also called by a number
| of other OpenSSL functions. An application calling any of those
| other functions may similarly be affected. The other functions
| affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(),
| and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey
| command line application when using the "-pubcheck" option, as well
| as the OpenSSL genpkey command line application. The OpenSSL
| SSL/TLS implementation is not affected by this issue. The OpenSSL
| 3.0 and 3.1 FIPS providers are not affected by this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5678
https://www.cve.org/CVERecord?id=CVE-2023-5678
[1] https://www.openssl.org/news/secadv/20231106.txt
Regards,
Salvatore
Marked as found in versions openssl/3.0.11-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 06 Nov 2023 21:39:04 GMT) (full text, mbox, link).
Marked as found in versions openssl/3.0.11-1~deb12u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 06 Nov 2023 21:39:04 GMT) (full text, mbox, link).
Marked as found in versions openssl/3.0.11-1~deb12u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 06 Nov 2023 21:39:05 GMT) (full text, mbox, link).
Marked as found in versions openssl/1.1.1w-0+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 06 Nov 2023 21:39:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Nov 7 17:55:20 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.