[gentoo-announce] [ GLSA-202211-01 ] OpenSSL: Multiple Vulnerabilities - gentoo-announce

From:	John Helmert III <ajak@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA-202211-01 ] OpenSSL: Multiple Vulnerabilities
Date:	Tue, 01 Nov 2022 22:18:12
Message-Id:	`Y2Ga2CAdaR9/sItr@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202211-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: OpenSSL: Multiple Vulnerabilities

9

     Date: November 01, 2022

10

     Bugs: #878269

11

       ID: 202211-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in OpenSSL, the worst of

19

which could result in remote code execution.

20

21

Background

22

==========

23

24

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer

25

(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general

26

purpose cryptography library.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-libs/openssl           < 3.0.7:0/3               >= 3.0.7:0/3

35

36

Description

37

===========

38

39

Multiple buffer overflows exist in OpenSSL's handling of TLS

40

certificates for client authentication.

41

42

Impact

43

======

44

45

It is believed that, while unlikely, code execution is possible in

46

certain system configurations.

47

48

Workaround

49

==========

50

51

Users operating TLS servers may consider disabling TLS client

52

authentication, if it is being used, until fixes are applied.

53

54

Resolution

55

==========

56

57

All OpenSSL 3 users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-3.0.7"

61

62

References

63

==========

64

65

[ 1 ] CVE-2022-3602

66

      https://nvd.nist.gov/vuln/detail/CVE-2022-3602

67

[ 2 ] CVE-2022-3786

68

      https://nvd.nist.gov/vuln/detail/CVE-2022-3786

69

70

Availability

71

============

72

73

This GLSA and any updates to it are available for viewing at

74

the Gentoo Security Website:

75

76

 https://security.gentoo.org/glsa/202211-01

77

78

Concerns?

79

=========

80

81

Security is a primary focus of Gentoo Linux and ensuring the

82

confidentiality and security of our users' machines is of utmost

83

importance to us. Any security concerns should be addressed to

84

security@g.o or alternatively, you may file a bug at

85

https://bugs.gentoo.org.

86

87

License

88

=======

89

90

Copyright 2022 Gentoo Foundation, Inc; referenced text

91

belongs to its owner(s).

92

93

The contents of this document are licensed under the

94

Creative Commons - Attribution / Share Alike license.

95

96

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202211-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: OpenSSL: Multiple Vulnerabilities
9	Date: November 01, 2022
10	Bugs: #878269
11	ID: 202211-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in OpenSSL, the worst of
19	which could result in remote code execution.
20
21	Background
22	==========
23
24	OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
25	(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
26	purpose cryptography library.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-libs/openssl < 3.0.7:0/3 >= 3.0.7:0/3
35
36	Description
37	===========
38
39	Multiple buffer overflows exist in OpenSSL's handling of TLS
40	certificates for client authentication.
41
42	Impact
43	======
44
45	It is believed that, while unlikely, code execution is possible in
46	certain system configurations.
47
48	Workaround
49	==========
50
51	Users operating TLS servers may consider disabling TLS client
52	authentication, if it is being used, until fixes are applied.
53
54	Resolution
55	==========
56
57	All OpenSSL 3 users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-3.0.7"
61
62	References
63	==========
64
65	[ 1 ] CVE-2022-3602
66	https://nvd.nist.gov/vuln/detail/CVE-2022-3602
67	[ 2 ] CVE-2022-3786
68	https://nvd.nist.gov/vuln/detail/CVE-2022-3786
69
70	Availability
71	============
72
73	This GLSA and any updates to it are available for viewing at
74	the Gentoo Security Website:
75
76	https://security.gentoo.org/glsa/202211-01
77
78	Concerns?
79	=========
80
81	Security is a primary focus of Gentoo Linux and ensuring the
82	confidentiality and security of our users' machines is of utmost
83	importance to us. Any security concerns should be addressed to
84	security@g.o or alternatively, you may file a bug at
85	https://bugs.gentoo.org.
86
87	License
88	=======
89
90	Copyright 2022 Gentoo Foundation, Inc; referenced text
91	belongs to its owner(s).
92
93	The contents of this document are licensed under the
94	Creative Commons - Attribution / Share Alike license.
95
96	https://creativecommons.org/licenses/by-sa/2.5