diff options
| author | Tomas Mraz <tomas@openssl.org> | 2024-01-09 18:08:22 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-01-15 10:58:10 +0100 |
| commit | 5149deb832bc98cd908c4fca345c6f1150f4e286 (patch) | |
| tree | 8d6a895675377ceeaf8b6bfdd6f96187b25f9fbb | |
| parent | 18c02492138d1eb8b6548cb26e7b625fb2414a2a (diff) | |
Add CHANGES.md and NEWS.md entries for CVE-2023-6237
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
(cherry picked from commit 38b2508f638787842750aec9a75745e1d8786743)
| -rw-r--r-- | CHANGES.md | 23 | ||||
| -rw-r--r-- | NEWS.md | 5 |
2 files changed, 27 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 8be8124fd8..2ba6c98077 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,28 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.12 and 3.0.13 [xx XXX xxxx] + * When function EVP_PKEY_public_check() is called on RSA public keys, + a computation is done to confirm that the RSA modulus, n, is composite. + For valid RSA keys, n is a product of two or more large primes and this + computation completes quickly. However, if n is an overly large prime, + then this computation would take a long time. + + An application that calls EVP_PKEY_public_check() and supplies an RSA key + obtained from an untrusted source could be vulnerable to a Denial of Service + attack. + + The function EVP_PKEY_public_check() is not called from other OpenSSL + functions however it is called from the OpenSSL pkey command line + application. For that reason that application is also vulnerable if used + with the "-pubin" and "-check" options on untrusted data. + + To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will + now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason. + + ([CVE-2023-6237]) + + *Tomáš Mráz* + * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey rather than SM2. @@ -19782,6 +19804,7 @@ ndif <!-- Links --> +[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 @@ -20,7 +20,9 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [under development] - * Fix POLY1305 MAC implementation corrupting vector registers on PowerPC + * Fixed Excessive time spent checking invalid RSA public keys + ([CVE-2023-6237]) + * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) * Fix excessive time spent in DH check / generation with large Q parameter @@ -1466,6 +1468,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 |