git: 43ba1e9c8da6 - main - security/vuxml: Document new OpenSSL vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 07 Feb 2023 19:54:01 UTC
The branch main has been updated by brnrd:
URL: https://cgit.FreeBSD.org/ports/commit/?id=43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80
commit 43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80
Author: Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2023-02-07 19:53:59 +0000
Commit: Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2023-02-07 19:53:59 +0000
security/vuxml: Document new OpenSSL vulnerabilities
---
security/vuxml/vuln/2023.xml | 96 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 96 insertions(+)
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index d1f49c49a55d..f5afecca995b 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,99 @@
+ <vuln vid="648a432c-a71f-11ed-86e9-d4c9ef517024">
+ <topic>OpenSSL -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.1.1t,1</lt></range>
+ </package>
+ <package>
+ <name>openssl-devel</name>
+ <range><lt>3.0.8</lt></range>
+ </package>
+ <package>
+ <name>openssl-quictls</name>
+ <range><lt>3.0.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenSSL project reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20230207.txt">
+ <p>X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High):
+ There is a type confusion vulnerability relating to X.400 address processing
+ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
+ the public structure definition for GENERAL_NAME incorrectly specified the type
+ of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
+ the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
+ ASN1_STRING.</p>
+ <p>Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate):
+ A timing based side channel exists in the OpenSSL RSA Decryption implementation
+ which could be sufficient to recover a plaintext across a network in a
+ Bleichenbacher style attack. To achieve a successful decryption an attacker
+ would have to be able to send a very large number of trial messages for
+ decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
+ RSA-OEAP and RSASVE.</p>
+ <p>X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate):
+ A read buffer overrun can be triggered in X.509 certificate verification,
+ specifically in name constraint checking. Note that this occurs
+ after certificate chain signature verification and requires either a
+ CA to have signed the malicious certificate or for the application to
+ continue certificate verification despite failure to construct a path
+ to a trusted issuer.</p>
+ <p>Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate):
+ The public API function BIO_new_NDEF is a helper function used for streaming
+ ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
+ SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
+ end user applications.</p>
+ <p>Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate):
+ The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+ decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
+ If the function succeeds then the "name_out", "header" and "data" arguments are
+ populated with pointers to buffers containing the relevant decoded data. The
+ caller is responsible for freeing those buffers. It is possible to construct a
+ PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
+ will return a failure code but will populate the header argument with a pointer
+ to a buffer that has already been freed. If the caller also frees this buffer
+ then a double free will occur. This will most likely lead to a crash. This
+ could be exploited by an attacker who has the ability to supply malicious PEM
+ files for parsing to achieve a denial of service attack.</p>
+ <p>Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate):
+ An invalid pointer dereference on read can be triggered when an
+ application tries to load malformed PKCS7 data with the
+ d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.</p>
+ <p>NULL dereference validating DSA public key (CVE-2023-0217) (Moderate):
+ An invalid pointer dereference on read can be triggered when an
+ application tries to check a malformed DSA public key by the
+ EVP_PKEY_public_check() function. This will most likely lead
+ to an application crash. This function can be called on public
+ keys supplied from untrusted sources which could allow an attacker
+ to cause a denial of service attack.</p>
+ <p>NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate):
+ A NULL pointer can be dereferenced when signatures are being
+ verified on PKCS7 signed or signedAndEnveloped data. In case the hash
+ algorithm used for the signature is known to the OpenSSL library but
+ the implementation of the hash algorithm is not available the digest
+ initialization will fail. There is a missing check for the return
+ value from the initialization function which later leads to invalid
+ usage of the digest API most likely leading to a crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2023-0286</cvename>
+ <cvename>CVE-2022-4304</cvename>
+ <cvename>CVE-2022-4203</cvename>
+ <cvename>CVE-2023-0215</cvename>
+ <cvename>CVE-2022-4450</cvename>
+ <cvename>CVE-2023-0216</cvename>
+ <cvename>CVE-2023-0401</cvename>
+ <url>https://www.openssl.org/news/secadv/20230207.txt</url>
+ </references>
+ <dates>
+ <discovery>2023-02-07</discovery>
+ <entry>2023-02-07</entry>
+ </dates>
+ </vuln>
+
<vuln vid="c49a880d-a5bb-11ed-aab5-080027de9982">
<topic>Django -- multiple vulnerabilities</topic>
<affects>