OpenSSL Security Advisory

Tomas Mraz tomas at openssl.org
Tue Jan 16 11:34:53 UTC 2024 

Hello,

we are planning to do releases that would include these fixes soon.

Regards,

Tomas Mraz, OpenSSL


On Tue, 2024-01-16 at 08:19 +0000, Martin Bonner via openssl-users
wrote:
> There are now three low priority CVEs against OpenSSL 3.0 (which is
> the only one
> I care about – others will be interested in 3.1 and 3.2 too).
> 
> Are there any plans to release 3.0.13 with all of these fixed?  We
> bundle
> OpenSSL 3.0 in our software, customer IT departments run scans, and
> these
> complain about the software containing CVEs.
> 
> Yes, I know the _proper_ use of these scanners is to alert one to
> _potential_
> problems, and one should carefully consider each of the reported
> vulnerabilities
> and decide whether they are relevant or not.  The problem is that
> this requires
> thinking, and people don't like to do that if at all possible - they
> just want
> to be able to tick the box "scan run and no vulnerabilities found".
> 
> A release of 3.0.13 would allow us to satisfy these customers.
> 
> Martin Bonner
> 
> ---------------------------------------------------------------------
> -
> 
> Message: 1
> Date: Mon, 15 Jan 2024 12:32:16 +0000
> From: Tomas Mraz <mailto:tomas at openssl.org>
> To: mailto:openssl-project at openssl.org,
> mailto:openssl-users at openssl.org,
>         mailto:openssl-announce at openssl.org
> Subject: OpenSSL Security Advisory
> Message-ID: <mailto:ZaUl0KnRowwp+iAn at openssl.org>
> Content-Type: text/plain; charset=us-ascii
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> OpenSSL Security Advisory [15th January 2024]
> =============================================
> 
> Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
> =====================================================================
> 
> Severity: Low
> 
> Issue summary: Checking excessively long invalid RSA public keys may
> take
> a long time.
> 
>> 
> OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are
> vulnerable to
> this issue.
> 
> OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.
> 
> Due to the low severity of this issue we are not issuing new releases
> of
> OpenSSL at this time. The fix will be included in the next releases
> when they
> become available. The fix is also available in commit 0b0f7abf (for
> 3.2),
> commit a830f551 (for 3.1) and commit 18c02492 (for 3.0) in the
> OpenSSL git
> repository.
> 
> Any email and files/attachments transmitted with it are intended
> solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must
> not copy, distribute or disclose of the information it contains.
> Please notify Entrust immediately and delete the message from your
> system.

-- 
Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list