![]() ![]() Fixed in OpenSSL 1.0.2zj (premium support) (Affected since 1.0.2)ĬVE-2023-6237 Excessive time spent checking invalid RSA public keys 15 January 2024: Issue summary: Checking excessively long invalid RSA public keys may takeĪ long time.Fixed in OpenSSL 1.1.1x (premium support) (Affected since 1.1.1).Fixed in OpenSSL 3.0.13 (git commit) (Affected since 3.0.0).Fixed in OpenSSL 3.1.5 (git commit) (Affected since 3.1.0).Fixed in OpenSSL 3.2.1 (git commit) (Affected since 3.2.0).Found by Bahaa Naamneh (Crosspoint Labs). The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. However since thisįunction is related to writing data we do not consider it security significant. We have also fixed a similar issue in SMIME_write_PKCS7(). PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()Īnd PKCS12_newpass(). OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), If an application processes PKCS12įiles from an untrusted source using the OpenSSL APIs then that application willīe vulnerable to this issue. This can lead to a NULL pointerĭereference that results in OpenSSL crashing. OpenSSL does not correctly check for this case. ![]() The PKCS12 specification allows certain fields to be NULL, but A file in PKCS12 format can contain certificates and keys and may come from an ![]() To crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted Extended support is available for 1.0.2 from OpenSSL Software Services for premium support customers. Note: All OpenSSL versions before 1.1.1 are out of support and no longer receiving updates. If you think you have found a security bug in OpenSSL, please report it to us. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |