An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1481 Final 1.0 1.0 2023-08-12 Initial 2023-08-12 2023-08-12 openEuler SA Tool V1.0 2023-08-12 openssl security update An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Security Fix(es): Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3817) An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium openssl https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1481 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-3817 https://nvd.nist.gov/vuln/detail/CVE-2023-3817 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openssl-debugsource-1.1.1f-27.oe1.aarch64.rpm openssl-devel-1.1.1f-27.oe1.aarch64.rpm openssl-1.1.1f-27.oe1.aarch64.rpm openssl-debuginfo-1.1.1f-27.oe1.aarch64.rpm openssl-libs-1.1.1f-27.oe1.aarch64.rpm openssl-debugsource-1.1.1f-27.oe1.aarch64.rpm openssl-debuginfo-1.1.1f-27.oe1.aarch64.rpm openssl-libs-1.1.1f-27.oe1.aarch64.rpm openssl-1.1.1f-27.oe1.aarch64.rpm openssl-devel-1.1.1f-27.oe1.aarch64.rpm openssl-1.1.1m-22.oe2203.aarch64.rpm openssl-debugsource-1.1.1m-22.oe2203.aarch64.rpm openssl-libs-1.1.1m-22.oe2203.aarch64.rpm openssl-perl-1.1.1m-22.oe2203.aarch64.rpm openssl-debuginfo-1.1.1m-22.oe2203.aarch64.rpm openssl-devel-1.1.1m-22.oe2203.aarch64.rpm openssl-libs-1.1.1m-25.oe2203sp1.aarch64.rpm openssl-perl-1.1.1m-25.oe2203sp1.aarch64.rpm openssl-debuginfo-1.1.1m-25.oe2203sp1.aarch64.rpm openssl-1.1.1m-25.oe2203sp1.aarch64.rpm openssl-debugsource-1.1.1m-25.oe2203sp1.aarch64.rpm openssl-devel-1.1.1m-25.oe2203sp1.aarch64.rpm openssl-devel-1.1.1m-22.oe2203sp2.aarch64.rpm openssl-debugsource-1.1.1m-22.oe2203sp2.aarch64.rpm openssl-libs-1.1.1m-22.oe2203sp2.aarch64.rpm openssl-debuginfo-1.1.1m-22.oe2203sp2.aarch64.rpm openssl-1.1.1m-22.oe2203sp2.aarch64.rpm openssl-perl-1.1.1m-22.oe2203sp2.aarch64.rpm openssl-help-1.1.1f-27.oe1.noarch.rpm openssl-help-1.1.1f-27.oe1.noarch.rpm openssl-help-1.1.1m-22.oe2203.noarch.rpm openssl-help-1.1.1m-25.oe2203sp1.noarch.rpm openssl-help-1.1.1m-22.oe2203sp2.noarch.rpm openssl-1.1.1f-27.oe1.src.rpm openssl-1.1.1f-27.oe1.src.rpm openssl-1.1.1m-22.oe2203.src.rpm openssl-1.1.1m-25.oe2203sp1.src.rpm openssl-1.1.1m-22.oe2203sp2.src.rpm openssl-1.1.1f-27.oe1.x86_64.rpm openssl-devel-1.1.1f-27.oe1.x86_64.rpm openssl-libs-1.1.1f-27.oe1.x86_64.rpm openssl-debuginfo-1.1.1f-27.oe1.x86_64.rpm openssl-debugsource-1.1.1f-27.oe1.x86_64.rpm openssl-devel-1.1.1f-27.oe1.x86_64.rpm openssl-debugsource-1.1.1f-27.oe1.x86_64.rpm openssl-debuginfo-1.1.1f-27.oe1.x86_64.rpm openssl-1.1.1f-27.oe1.x86_64.rpm openssl-libs-1.1.1f-27.oe1.x86_64.rpm openssl-debugsource-1.1.1m-22.oe2203.x86_64.rpm openssl-debuginfo-1.1.1m-22.oe2203.x86_64.rpm openssl-1.1.1m-22.oe2203.x86_64.rpm openssl-devel-1.1.1m-22.oe2203.x86_64.rpm openssl-libs-1.1.1m-22.oe2203.x86_64.rpm openssl-perl-1.1.1m-22.oe2203.x86_64.rpm openssl-debuginfo-1.1.1m-25.oe2203sp1.x86_64.rpm openssl-debugsource-1.1.1m-25.oe2203sp1.x86_64.rpm openssl-libs-1.1.1m-25.oe2203sp1.x86_64.rpm openssl-perl-1.1.1m-25.oe2203sp1.x86_64.rpm openssl-devel-1.1.1m-25.oe2203sp1.x86_64.rpm openssl-1.1.1m-25.oe2203sp1.x86_64.rpm openssl-debuginfo-1.1.1m-22.oe2203sp2.x86_64.rpm openssl-1.1.1m-22.oe2203sp2.x86_64.rpm openssl-devel-1.1.1m-22.oe2203sp2.x86_64.rpm openssl-debugsource-1.1.1m-22.oe2203sp2.x86_64.rpm openssl-perl-1.1.1m-22.oe2203sp2.x86_64.rpm openssl-libs-1.1.1m-22.oe2203sp2.x86_64.rpm Issue summary: Checking excessively long DH keys or parameters may be very slow.Impact summary: Applications that use the functions DH_check(), DH_check_ex()or EVP_PKEY_param_check() to check a DH key or DH parameters may experience longdelays. Where the key or parameters that are being checked have been obtainedfrom an untrusted source this may lead to a Denial of Service.The function DH_check() performs various checks on DH parameters. After fixingCVE-2023-3446 it was discovered that a large q parameter value can also triggeran overly long computation during some of these checks. A correct q value,if present, cannot be larger than the modulus p parameter, thus it isunnecessary to perform these checks if q is larger than p.An application that calls DH_check() and supplies a key or parameters obtainedfrom an untrusted source could be vulnerable to a Denial of Service attack.The function DH_check() is itself called by a number of other OpenSSL functions.An application calling any of those other functions may similarly be affected.The other functions affected by this are DH_check_ex() andEVP_PKEY_param_check().Also vulnerable are the OpenSSL dhparam and pkeyparam command line applicationswhen using the -check option.The OpenSSL SSL/TLS implementation is not affected by this issue.The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. 2023-08-12 CVE-2023-3817 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L openssl security update 2023-08-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1481