git: 02f254f0a7f5 - main - security/openssl: Security update to 1.1.1o

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bernard Spil <brnrd_at_FreeBSD.org>
Date: Wed, 04 May 2022 07:22:10 UTC
The branch main has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=02f254f0a7f5b3f69c127a9980965167d459080c

commit 02f254f0a7f5b3f69c127a9980965167d459080c
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2022-05-04 07:02:02 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2022-05-04 07:22:06 +0000

    security/openssl: Security update to 1.1.1o
    
    Security:       fceb2b08-cb76-11ec-a06f-d4c9ef517024
    MFH:            2022Q2
---
 security/vuxml/vuln-2022.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 1f902540f26b..b39e484bf31b 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,57 @@
+  <vuln vid="fceb2b08-cb76-11ec-a06f-d4c9ef517024">
+    <topic>OpenSSL -- Multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>openssl</name>
+	<range><lt>1.1.1o,1</lt></range>
+      </package>
+      <package>
+	<name>openssl-devel</name>
+	<range><lt>3.0.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The OpenSSL project reports:</p>
+	<blockquote cite="https://www.openssl.org/news/secadv/20220503.txt">
+	  <ul>
+	    <li>The c_rehash script allows command injection (CVE-2022-1292)
+	      (Moderate) <br/>The c_rehash script does not properly sanitise shell
+	      metacharacters to prevent command injection.  This script is distributed
+	      by some operating systems in a manner where it is automatically
+	      executed. On such operating systems, an attacker could execute arbitrary
+	      commands with the privileges of the script.</li>
+	    <li>OCSP_basic_verify may incorrectly verify the response signing
+	      certificate (CVE-2022-1343) (Moderate)<br/>The function
+	      `OCSP_basic_verify` verifies the signer certificate on an OCSP response.
+	      In the case where the (non-default) flag OCSP_NOCHECKS is used then the
+	      response will be positive (meaning a successful verification) even in
+	      the case where the response signing certificate fails to verify.</li>
+	    <li>Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
+	      (Low)<br/>The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite
+	      incorrectly uses the AAD data as the MAC key. This makes the MAC key
+	      trivially predictable.</li>
+	    <li>Resource leakage when decoding certificates and keys (CVE-2022-1473)
+	      (Low)<br/>The OPENSSL_LH_flush() function, which empties a hash table,
+	      containsa bug that breaks reuse of the memory occuppied by the removed
+	      hash table entries.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-1292</cvename>
+      <cvename>CVE-2022-1343</cvename>
+      <cvename>CVE-2022-1434</cvename>
+      <cvename>CVE-2022-1473</cvename>
+      <url>https://www.openssl.org/news/secadv/20220503.txt</url>
+    </references>
+    <dates>
+      <discovery>2022-05-03</discovery>
+      <entry>2022-05-04</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a8118db0-cac2-11ec-9288-0800270512f4">
     <topic>rainloop -- cross-site-scripting (XSS) vulnerability</topic>
     <affects>