Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency openssl/openssl to v3.3.2 #119

Merged
merged 1 commit into from
Oct 22, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 22, 2024

This PR contains the following updates:

Package Update Change
openssl/openssl minor 3.2.0 -> 3.3.2

Release Notes

openssl/openssl (openssl/openssl)

v3.3.2

Compare Source

  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
    curve parameters.

    Use of the low-level GF(2^m) elliptic curve APIs with untrusted
    explicit values for the field polynomial can lead to out-of-bounds memory
    reads or writes.
    Applications working with "exotic" explicit binary (GF(2^m)) curve
    parameters, that make it possible to represent invalid field polynomials
    with a zero constant term, via the above or similar APIs, may terminate
    abruptly as a result of reading or writing outside of array bounds. Remote
    code execution cannot easily be ruled out.

    ([CVE-2024-9143])

    Viktor Dukhovni

v3.3.1

Compare Source

  • Fixed possible denial of service in X.509 name checks.

    Applications performing certificate name checks (e.g., TLS clients checking
    server certificates) may attempt to read an invalid memory address when
    comparing the expected name with an otherName subject alternative name of
    an X.509 certificate. This may result in an exception that terminates the
    application program.

    ([CVE-2024-6119])

    Viktor Dukhovni

  • Fixed possible buffer overread in SSL_select_next_proto().

    Calling the OpenSSL API function SSL_select_next_proto with an empty
    supported client protocols buffer may cause a crash or memory contents
    to be sent to the peer.

    ([CVE-2024-5535])

    Matt Caswell

v3.3.0

Compare Source

  • Fixed potential use after free after SSL_free_buffers() is called.

    The SSL_free_buffers function is used to free the internal OpenSSL
    buffer used when processing an incoming record from the network.
    The call is only expected to succeed if the buffer is not currently
    in use. However, two scenarios have been identified where the buffer
    is freed even when still in use.

    The first scenario occurs where a record header has been received
    from the network and processed by OpenSSL, but the full record body
    has not yet arrived. In this case calling SSL_free_buffers will succeed
    even though a record has only been partially processed and the buffer
    is still in use.

    The second scenario occurs where a full record containing application
    data has been received and processed by OpenSSL but the application has
    only read part of this data. Again a call to SSL_free_buffers will
    succeed even though the buffer is still in use.

    ([CVE-2024-4741])

    Matt Caswell

  • Fixed an issue where checking excessively long DSA keys or parameters may
    be very slow.

    Applications that use the functions EVP_PKEY_param_check() or
    EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
    experience long delays. Where the key or parameters that are being checked
    have been obtained from an untrusted source this may lead to a Denial of
    Service.

    To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
    will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
    reason.

    ([CVE-2024-4603])

    Tomáš Mráz

  • Improved EC/DSA nonce generation routines to avoid bias and timing
    side channel leaks.

    Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
    and Hubert Kario from Red Hat for reporting the issues.

    Tomáš Mráz and Paul Dale

v3.2.3: OpenSSL 3.2.3

Compare Source

OpenSSL 3.2.3 is now available, including bug and security fixes: please download and upgrade!

v3.2.2

Compare Source

  • Fixed an issue where some non-default TLS server configurations can cause
    unbounded memory growth when processing TLSv1.3 sessions. An attacker may
    exploit certain server configurations to trigger unbounded memory growth that
    would lead to a Denial of Service

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
    is being used (but not if early_data is also configured and the default
    anti-replay protection is in use). In this case, under certain conditions,
    the session cache can get into an incorrect state and it will fail to flush
    properly as it fills. The session cache will continue to grow in an unbounded
    manner. A malicious client could deliberately create the scenario for this
    failure to force a Denial of Service. It may also happen by accident in
    normal operation.

    ([CVE-2024-2511])

    Matt Caswell

  • Fixed bug where SSL_export_keying_material() could not be used with QUIC
    connections. (#​23560)

    Hugo Landau

v3.2.1

Compare Source

  • Fixed an issue where some non-default TLS server configurations can cause
    unbounded memory growth when processing TLSv1.3 sessions. An attacker may
    exploit certain server configurations to trigger unbounded memory growth that
    would lead to a Denial of Service

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
    is being used (but not if early_data is also configured and the default
    anti-replay protection is in use). In this case, under certain conditions,
    the session cache can get into an incorrect state and it will fail to flush
    properly as it fills. The session cache will continue to grow in an unbounded
    manner. A malicious client could deliberately create the scenario for this
    failure to force a Denial of Service. It may also happen by accident in
    normal operation.

    ([CVE-2024-2511])

    Matt Caswell

  • Fixed bug where SSL_export_keying_material() could not be used with QUIC
    connections. (#​23560)

    Hugo Landau


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from cmeister2 October 22, 2024 10:19
@cmeister2 cmeister2 merged commit 24f27bd into master Oct 22, 2024
18 checks passed
@cmeister2 cmeister2 deleted the renovate/openssl-openssl-3.x branch October 22, 2024 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant