openssl-1.0.2k-26.0.6.el7.AXS7

エラータID: AXSA:2025-10997:05

Release date: 
Tuesday, October 28, 2025 - 10:02
Subject: 
openssl-1.0.2k-26.0.6.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

Security Fix(es):

* CVE-2019-1547: fix side-channel vulnerability in ECDSA when using explicit
EC parameters without cofactor
* CVE-2025-9230: fix incorrect check of unwrapped key size

CVE(s):
CVE-2019-1547
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVE-2025-9230
Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Solution: 

Update packages.

CVEs: 
CVE-2019-1547
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVE-2025-9230
Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
Additional Info: 

N/A

Download: 

Asianux Server 7 for x86_64
  1. openssl-1.0.2k-26.0.6.el7.AXS7.x86_64.rpm
    MD5: 56e780278db25f643c76ea4b8e545f1c
    SHA-256: 6cfef27bc762796bbb739ed72e4677ca3915aa576054f875cb3cddd5d162e730
    Size: 495.17 kB
  2. openssl-devel-1.0.2k-26.0.6.el7.AXS7.i686.rpm
    MD5: fc09b53a6a303db1f27a22cd2e60fe4f
    SHA-256: 5b9db8d9c902ac2107ba5020a353afa30ac0ab4da39f68e8e290cf7a0f83e0a8
    Size: 1.51 MB
  3. openssl-devel-1.0.2k-26.0.6.el7.AXS7.x86_64.rpm
    MD5: fdac20778b021aa38ace392320171c6a
    SHA-256: 8c2ca0179726bc342437c7708b97d2e0bb3d5c67d86f7bfd5b8100105a868443
    Size: 1.51 MB
  4. openssl-libs-1.0.2k-26.0.6.el7.AXS7.i686.rpm
    MD5: 27cb211163f5cd2c253b853e31426ce9
    SHA-256: afe48954e55c7d180cc136b9740409575a602a4b458045336c7cdb9d8d1d3457
    Size: 0.98 MB
  5. openssl-libs-1.0.2k-26.0.6.el7.AXS7.x86_64.rpm
    MD5: 24568d8e8965cb318f1ab153c82726e1
    SHA-256: de4f3aee6a15dbd9a017e390b99258875849f6e46745ac33b4b835ecdb0c7cb6
    Size: 1.20 MB