[Pkg-openssl-devel] Bug#1041817: openssl: CVE-2023-3446

Salvatore Bonaccorso carnil at debian.org
Sun Jul 23 21:47:47 BST 2023 

Source: openssl
Version: 3.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.1.1n-0+deb11u4
Control: found -1 1.1.1n-0+deb11u5

Hi,

The following vulnerability was published for openssl.

CVE-2023-3446[0]:
| Issue summary: Checking excessively long DH keys or parameters may
| be very slow.  Impact summary: Applications that use the functions
| DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH
| key or DH parameters may experience long delays. Where the key or
| parameters that are being checked have been obtained from an
| untrusted source this may lead to a Denial of Service.  The function
| DH_check() performs various checks on DH parameters. One of those
| checks confirms that the modulus ('p' parameter) is not too large.
| Trying to use a very large modulus is slow and OpenSSL will not
| normally use a modulus which is over 10,000 bits in length.  However
| the DH_check() function checks numerous aspects of the key or
| parameters that have been supplied. Some of those checks use the
| supplied modulus value even if it has already been found to be too
| large.  An application that calls DH_check() and supplies a key or
| parameters obtained from an untrusted source could be vulernable to
| a Denial of Service attack.  The function DH_check() is itself
| called by a number of other OpenSSL functions. An application
| calling any of those other functions may similarly be affected. The
| other functions affected by this are DH_check_ex() and
| EVP_PKEY_param_check().  Also vulnerable are the OpenSSL dhparam and
| pkeyparam command line applications when using the '-check' option.
| The OpenSSL SSL/TLS implementation is not affected by this issue.
| The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-3446
    https://www.cve.org/CVERecord?id=CVE-2023-3446
[1] https://www.openssl.org/news/secadv/20230719.txt

Regards,
Salvatore

More information about the Pkg-openssl-devel mailing list