openssl-3.0.7-6.el9
エラータID: AXSA:2023-5373:04
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
* openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2022-3358
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
Update packages.
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
N/A
SRPMS
- openssl-3.0.7-6.el9.src.rpm
MD5: a23883b55eb6c1d9b52c39829ec18104
SHA-256: d3039684564e1216ec40de6cfb7be799502db957973bf3127bd7e0c7fc785441
Size: 14.86 MB
Asianux Server 9 for x86_64
- openssl-3.0.7-6.el9.x86_64.rpm
MD5: 28af05a8db5cce74c22f6dd42e780868
SHA-256: 44f2b4913538f8b70ff3c4538a785155a2ced2dfdb743e7c922753b4beef1b7b
Size: 1.15 MB - openssl-devel-3.0.7-6.el9.i686.rpm
MD5: bb1401db6896a0f45a7a12a0deb670e4
SHA-256: 18ebae65bd1441884eece3eedbbb0ef1fa6cccb71bac104045d95cbba33e8206
Size: 2.98 MB - openssl-devel-3.0.7-6.el9.x86_64.rpm
MD5: 11a53003db74f3bad89bb75b6c9f8d46
SHA-256: 7a49da90a16922c529c23740e33b1221d306db5693a77d0522fcf36004ee0598
Size: 2.98 MB - openssl-libs-3.0.7-6.el9.i686.rpm
MD5: f7606a4da7fe3155ccf0bba0eaea77e4
SHA-256: 8dac40385d09e15adc12dbe8dcf5a1b20c528c5164727e1727c3965c9948e5c6
Size: 2.14 MB - openssl-libs-3.0.7-6.el9.x86_64.rpm
MD5: fef7f89d982a9c191a84da02fd7fcfda
SHA-256: 85e8c1d25c8fce2aa193053fada9bd28efb4d23308f46549d8774597b0ee40fb
Size: 2.14 MB - openssl-perl-3.0.7-6.el9.x86_64.rpm
MD5: c4f0e8972ba15385c88b95340130fcd4
SHA-256: 6c10f10137eda0d403a026dba613a36674ac5caf2023d973ac93b95e756a6d77
Size: 38.82 kB