openssl-1.1.1k-15.el8_6

エラータID: AXSA:2026-218:06

Release date: 
Wednesday, February 25, 2026 - 17:50
Subject: 
openssl-1.1.1k-15.el8_6
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing (CVE-2025-69419)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-69419
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

Solution: 

Update packages.

CVEs: 
CVE-2025-69419
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. openssl-1.1.1k-15.el8_6.src.rpm
    MD5: 03df96fa3c7c961d56a890f0f1c7f669
    SHA-256: 98188edefa0b6e148e387f8f12fef58efc19a441699109eb9adb9dcfd3277905
    Size: 7.39 MB

Asianux Server 8 for x86_64
  1. openssl-1.1.1k-15.el8_6.x86_64.rpm
    MD5: 2785f50f51ee165ef0351a3bc588c2c7
    SHA-256: 4463c939102ed2ddab6827112d3c3724e399417b8ca8875f2b08600f3299e139
    Size: 710.30 kB
  2. openssl-devel-1.1.1k-15.el8_6.i686.rpm
    MD5: 1464c797e7103ec913c1a9f46e6f1d82
    SHA-256: 3bc0bf8bdcc57719b980e0608878449765f430d41555399fddb9fc353d30aa8f
    Size: 2.33 MB
  3. openssl-devel-1.1.1k-15.el8_6.x86_64.rpm
    MD5: 09f3283042393693069426850a2a72e8
    SHA-256: 9d736ce3c86c6b1fede732e6ca7b55947c4d8438cc29f7d6932d127e79d406da
    Size: 2.33 MB
  4. openssl-libs-1.1.1k-15.el8_6.i686.rpm
    MD5: 5e19e3f278d72f345d2080bb3a323592
    SHA-256: 90edfeb877986d69334b3e39886cb3ad9a220c8043cf764cd52675688a324113
    Size: 1.48 MB
  5. openssl-libs-1.1.1k-15.el8_6.x86_64.rpm
    MD5: 93fa9579d7121f02704c14c9ed13d53b
    SHA-256: 1870c913c942676fe81b70b7910be000bf7985937c335eb39c4d94db8d48550a
    Size: 1.47 MB
  6. openssl-perl-1.1.1k-15.el8_6.x86_64.rpm
    MD5: 44f15ac8071304b94c15cc83abbd5dc7
    SHA-256: 93b2a6d88d52687ca16816961a162e2586924128905af43f6f8ae76efe9e6bef
    Size: 82.93 kB