[RndTbl] Fw: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36

Gilbert Detillieux Gilbert.Detillieux at umanitoba.ca
Wed Feb 22 14:17:53 CST 2023 

As if we didn't already have enough issues with OpenSSL, what with 
buffer overrun vulnerabilities in new/recent code*, and more direct 
coding flaws (pointer free/dereference and such) that were recently 
announced**.

You'd think with the combined wealth and resources of Alphabet/Google, 
Apple, and Microsoft, they'd find it in their best collective 
self-interest to fund a project to replace this garbage with some, you 
know, actually secure code.

Sigh!

Gilbert

* 
https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/

** https://www.openssl.org/news/secadv/20230207.txt
    https://linuxsecurity.com/features/urgent-openssl-security-advisory
 
https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/
 
https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix
    (Many of the above do mention the side-channel attack too.)

On 2023-02-22 1:51 p.m., Trevor Cordes wrote:
> Oh joy, "password timing" attacks come to SSL.
> 
> e.g. CVE-2022-4304  Published 2023-02-08T20:15:00
> A timing based side channel exists in the OpenSSL RSA Decryption
> implementation which could be sufficient to recover a plaintext across
> a network in a Bleichenbacher style attack.
> 
> 
> Begin forwarded message:
> 
> Date: Wed, 22 Feb 2023 11:09:09 +0000 (GMT)
> From: updates at fedoraproject.org
> To: package-announce at lists.fedoraproject.org
> Subject: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36
> 
> --------------------------------------------------------------------------------
> Fedora Update Notification
> FEDORA-2023-a5564c0a3f
> 2023-02-22 11:06:32.699863
> --------------------------------------------------------------------------------
> 
> Name        : openssl
> Product     : Fedora 36
> Version     : 3.0.8
> Release     : 1.fc36
> 
> * Thu Feb  9 2023 Dmitry Belyavskiy <dbelyavs at redhat.com> - 1:3.0.8-1
> - Rebase to upstream version 3.0.8
>    Resolves: CVE-2022-4203
>    Resolves: CVE-2022-4304
>    Resolves: CVE-2022-4450
>    Resolves: CVE-2023-0215
>    Resolves: CVE-2023-0216
>    Resolves: CVE-2023-0217
>    Resolves: CVE-2023-0286
>    Resolves: CVE-2023-0401

-- 
Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2
For best CS dept. service, contact <cs-support at lists.umanitoba.ca>.

More information about the Roundtable mailing list