NS-SA-2024-0114

简介

low: openssl/libarchive security update

严重级别

low

主题

An update for openssl/libarchive is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

openssl:
libarchive:


Security Fix(es):
openssl: A security vulnerability has been identified in all supported OpenSSL versions related to verifying X.509 certificate chains that include policy constraints. This flaw allows attackers to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial of service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or calling the X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)
openssl: A flaw was found in OpenSSL. Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. OpenSSL and other certificate policy checks silently ignore invalid certificate policies in leaf certificates that are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)
openssl: A flaw was found in OpenSSL. The X509_VERIFY_PARAM_add0_policy() function is documented to enable the certificate policy check when doing certificate verification implicitly. However, implementing the function does not enable the check, allowing certificates with invalid or incorrect policies to pass the certificate verification. Suddenly enabling the policy check could break existing deployments, so it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. The applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.(CVE-2023-0466)
openssl: A vulnerability was found in OpenSSL. This security flaw occurs because the applications that use the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source may lead to a denial of service.(CVE-2023-3446)
openssl: A vulnerability was found in OpenSSL. This security issue occurs because the applications that use the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source may lead to a denial of service.(CVE-2023-3817)
openssl: A flaw was found in OpenSSL, which caused the generation or checking of long X9.42 DH keys or parameters to be much slower than expected. This issue could lead to a denial of service.(CVE-2023-5678)
openssl: A flaw was found in OpenSSL. A malicious client can trigger an uncontrolled memory consumption, resulting in a Denial of Service. This issue occurs due to OpenSSL's TLSv3.1 session cache going into an incorrect state, leading to it failing to flush properly as it fills. OpenSSL must be configured with the non-default SSL_OP_NO_TICKET option enabled to be vulnerable. This issue only affects TLSv1.3 servers, while TLS clients are not affected.(CVE-2024-2511)
openssl: bugfix
libarchive: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.(CVE-2022-36227)
libarchive: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.07B7.

影响组件

• openssl
• libarchive

影响产品

• CGSL MAIN 6.06

更新包

CVE

• CVE-2023-0464
• CVE-2023-0465
• CVE-2023-0466
• CVE-2023-3446
• CVE-2023-3817
• CVE-2023-5678
• CVE-2024-2511
• CVE-2022-36227

参考

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0464
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0465
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0466
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3446
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3817
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5678
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2511
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36227