From nobody Tue Feb 07 19:54:01 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PBDN958vXz3ndHN; Tue, 7 Feb 2023 19:54:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PBDN94X7Xz4lN6; Tue, 7 Feb 2023 19:54:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675799641; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GjaCgzseI9wrZRGYnlfeMBBxqeDu0hfe0XUBu4uWxSM=; b=awUBvJwauPgau8I7u4L4uHXo6IkEyVjmdsUWSzfOW41TYgqkhazyMxpf81me1QxVi+Iz0P v2toBpgc2jf6QN6pQJowfP3dwkRWvKzmOaSNLcacNVdCXdnLqh9JGmuDQjJCVL42JGrrju s0PfooZm9apreLx/zx3N0mtlC09artoRCftZvns6XX21MHUOrKJuvN0cpiiBhXnqM8spt7 fwZgV/pxa9Pgwz2HYH0rW5TzZluhFi9/FxsJ/IpkFEIqhmlRgCiEfImok57Smv93hjNay0 Y7LYopoZ7ODr5ImZPu6au+23y2IDvreFgVPFobB54KHUMhI9M5gUtg6moQA1EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675799641; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GjaCgzseI9wrZRGYnlfeMBBxqeDu0hfe0XUBu4uWxSM=; b=rnpuf5al6rh6SAZF9LwV+2eAhxt0s158wFI3gpCgwlcECBZX79ZMvQOoGUe18BcN+jjI2i PMqbfw1ZWfeSKPIWiwRmu7mEBAwSPLvg2PqVbfUirmT58wGlyvVBwwUuSbDIcAEJU1x9z3 eB4CWsxgU9T4cj2pVVWfSfp2exM4Rlu9Y38IsKhNKQ/W8bbYOdSNa9BaglGgwDvRTOKttp rcABBMJ6xaXx4GXlLBcHsquZw9AQqeWDksxOzTW2MYgZ6X5bQHTp0q9ofE7UUv/rCBPzgQ N095ycHq9WhU28MteBIREDPkR8wNTXvsIMc6HI5qzKPYMUIn6TnYTiG9EzYg3A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675799641; a=rsa-sha256; cv=none; b=ucRUOEXS5xkMtpUGr7vDPxmQhFM0/aUaAu2S95C3DV6JXoTenJ0BGvSUXjtk5bbQ3n/Rl2 eV36OB8xzpLumg/URc7N8eIisUK94kdS0/gzvSDZxZ6nLIqjougB8F7+7QjHvJAfFLfQCA dLzAtCtFnlbWI7D1pfbvc16z4N6ZUqK2yl6MWfOePO2HWfcqTMe/wY03Mg9/FDfnJiOM/J HMX6AJBS+V+y+xH0ShRxOFBCoMw3XiIv3nKWD6ZL47Pw/jcksGKXZcD234pPE3vxjgWNz3 lDfgRd9Vte8guZblJkx8PU8ZADZ3eCyEKKoCq8F2zNkDaYRRgBcIlufqE/D+7w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PBDN93bnxzTSJ; Tue, 7 Feb 2023 19:54:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 317Js1rc006686; Tue, 7 Feb 2023 19:54:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 317Js1ho006685; Tue, 7 Feb 2023 19:54:01 GMT (envelope-from git) Date: Tue, 7 Feb 2023 19:54:01 GMT Message-Id: <202302071954.317Js1ho006685@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bernard Spil Subject: git: 43ba1e9c8da6 - main - security/vuxml: Document new OpenSSL vulnerabilities List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: brnrd X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80 commit 43ba1e9c8da6e7398e3bbbd7cb3a22927627cc80 Author: Bernard Spil AuthorDate: 2023-02-07 19:53:59 +0000 Commit: Bernard Spil CommitDate: 2023-02-07 19:53:59 +0000 security/vuxml: Document new OpenSSL vulnerabilities --- security/vuxml/vuln/2023.xml | 96 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index d1f49c49a55d..f5afecca995b 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,99 @@ + + OpenSSL -- Multiple vulnerabilities + + + openssl + 1.1.1t,1 + + + openssl-devel + 3.0.8 + + + openssl-quictls + 3.0.8 + + + + +

The OpenSSL project reports:

+
+

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High): + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but + the public structure definition for GENERAL_NAME incorrectly specified the type + of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by + the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an + ASN1_STRING.

+

Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate): + A timing based side channel exists in the OpenSSL RSA Decryption implementation + which could be sufficient to recover a plaintext across a network in a + Bleichenbacher style attack. To achieve a successful decryption an attacker + would have to be able to send a very large number of trial messages for + decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, + RSA-OEAP and RSASVE.

+

X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate): + A read buffer overrun can be triggered in X.509 certificate verification, + specifically in name constraint checking. Note that this occurs + after certificate chain signature verification and requires either a + CA to have signed the malicious certificate or for the application to + continue certificate verification despite failure to construct a path + to a trusted issuer.

+

Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate): + The public API function BIO_new_NDEF is a helper function used for streaming + ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the + SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by + end user applications.

+

Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate): + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. + If the function succeeds then the "name_out", "header" and "data" arguments are + populated with pointers to buffers containing the relevant decoded data. The + caller is responsible for freeing those buffers. It is possible to construct a + PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() + will return a failure code but will populate the header argument with a pointer + to a buffer that has already been freed. If the caller also frees this buffer + then a double free will occur. This will most likely lead to a crash. This + could be exploited by an attacker who has the ability to supply malicious PEM + files for parsing to achieve a denial of service attack.

+

Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate): + An invalid pointer dereference on read can be triggered when an + application tries to load malformed PKCS7 data with the + d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

+

NULL dereference validating DSA public key (CVE-2023-0217) (Moderate): + An invalid pointer dereference on read can be triggered when an + application tries to check a malformed DSA public key by the + EVP_PKEY_public_check() function. This will most likely lead + to an application crash. This function can be called on public + keys supplied from untrusted sources which could allow an attacker + to cause a denial of service attack.

+

NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate): + A NULL pointer can be dereferenced when signatures are being + verified on PKCS7 signed or signedAndEnveloped data. In case the hash + algorithm used for the signature is known to the OpenSSL library but + the implementation of the hash algorithm is not available the digest + initialization will fail. There is a missing check for the return + value from the initialization function which later leads to invalid + usage of the digest API most likely leading to a crash.

+
+ + + + CVE-2023-0286 + CVE-2022-4304 + CVE-2022-4203 + CVE-2023-0215 + CVE-2022-4450 + CVE-2023-0216 + CVE-2023-0401 + https://www.openssl.org/news/secadv/20230207.txt + + + 2023-02-07 + 2023-02-07 + + + Django -- multiple vulnerabilities