OpenSSL Security Advisory

Martin Bonner Martin.Bonner at entrust.com
Tue Jan 16 08:19:07 UTC 2024


There are now three low priority CVEs against OpenSSL 3.0 (which is the only one
I care about – others will be interested in 3.1 and 3.2 too).

Are there any plans to release 3.0.13 with all of these fixed?  We bundle
OpenSSL 3.0 in our software, customer IT departments run scans, and these
complain about the software containing CVEs.

Yes, I know the _proper_ use of these scanners is to alert one to _potential_
problems, and one should carefully consider each of the reported vulnerabilities
and decide whether they are relevant or not.  The problem is that this requires
thinking, and people don't like to do that if at all possible - they just want
to be able to tick the box "scan run and no vulnerabilities found".

A release of 3.0.13 would allow us to satisfy these customers.

Martin Bonner

----------------------------------------------------------------------

Message: 1
Date: Mon, 15 Jan 2024 12:32:16 +0000
From: Tomas Mraz <mailto:tomas at openssl.org>
To: mailto:openssl-project at openssl.org, mailto:openssl-users at openssl.org,
        mailto:openssl-announce at openssl.org
Subject: OpenSSL Security Advisory
Message-ID: <mailto:ZaUl0KnRowwp+iAn at openssl.org>
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenSSL Security Advisory [15th January 2024]
=============================================

Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
=====================================================================

Severity: Low

Issue summary: Checking excessively long invalid RSA public keys may take
a long time.

…

OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to
this issue.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 0b0f7abf (for 3.2),
commit a830f551 (for 3.1) and commit 18c02492 (for 3.0) in the OpenSSL git
repository.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.


More information about the openssl-users mailing list