-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: openssl security and bug fix update Advisory ID: RHSA-2023:2523-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2523 Issue date: 2023-05-09 CVE Names: CVE-2022-3358 ==================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 2060044 - PSK ciphersuites at SECLEVEL=3 2083879 - -Wimplicit-function-declaration when compiling FIPS_mode() function with clang 2094956 - Overriding default property query settings doesn't work for some operations (FIPS mode) 2128412 - stunnel consumes high amount of memory when pestered with TCP connections without a TLS handshake 2129063 - Rebase to the latest openssl 3.0.x series 2133809 - OPENSSL_strcasecmp versioning 2134740 - CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption 2136250 - HMAC generation should reject key lengths < 112 bits or provide an indicator in FIPS mode 2137557 - In FIPS mode, openssl should set a minimum length for passwords in PBKDF2 2141597 - FIPS self-test data for RSA-CRT contains incorrect parameters 2141695 - In FIPS mode, openssl should reject KDF input and output key lengths < 112 bits or provide an indicator 2141748 - In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16 2142087 - In FIPS mode, openssl should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator 2142121 - In FIPS mode, openssl should reject SHAKE as digest for RSA-OAEP or provide an indicator 2142131 - In FIPS mode, openssl should reject RSA signatures with X9.31 padding, or provide an indicator 2142517 - OpenSSL PKCS#11 provider compatibility 2144561 - In FIPS mode, openssl should reject RSA keys < 2048 bits when using EVP_PKEY_decapsulate, or provide an indicator 2157965 - OpenSSL FIPS checksum code needs update 2168224 - OpenSSL - Significant performance drop for getrandom system call when FIPS is enabled (compared to RHEL 8) 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): aarch64: openssl-debuginfo-3.0.7-6.el9_2.aarch64.rpm openssl-debugsource-3.0.7-6.el9_2.aarch64.rpm openssl-devel-3.0.7-6.el9_2.aarch64.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.aarch64.rpm openssl-perl-3.0.7-6.el9_2.aarch64.rpm ppc64le: openssl-debuginfo-3.0.7-6.el9_2.ppc64le.rpm openssl-debugsource-3.0.7-6.el9_2.ppc64le.rpm openssl-devel-3.0.7-6.el9_2.ppc64le.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.ppc64le.rpm openssl-perl-3.0.7-6.el9_2.ppc64le.rpm s390x: openssl-debuginfo-3.0.7-6.el9_2.s390x.rpm openssl-debugsource-3.0.7-6.el9_2.s390x.rpm openssl-devel-3.0.7-6.el9_2.s390x.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.s390x.rpm openssl-perl-3.0.7-6.el9_2.s390x.rpm x86_64: openssl-debuginfo-3.0.7-6.el9_2.i686.rpm openssl-debuginfo-3.0.7-6.el9_2.x86_64.rpm openssl-debugsource-3.0.7-6.el9_2.i686.rpm openssl-debugsource-3.0.7-6.el9_2.x86_64.rpm openssl-devel-3.0.7-6.el9_2.i686.rpm openssl-devel-3.0.7-6.el9_2.x86_64.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.i686.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.x86_64.rpm openssl-perl-3.0.7-6.el9_2.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 9): Source: openssl-3.0.7-6.el9_2.src.rpm aarch64: openssl-3.0.7-6.el9_2.aarch64.rpm openssl-debuginfo-3.0.7-6.el9_2.aarch64.rpm openssl-debugsource-3.0.7-6.el9_2.aarch64.rpm openssl-libs-3.0.7-6.el9_2.aarch64.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.aarch64.rpm ppc64le: openssl-3.0.7-6.el9_2.ppc64le.rpm openssl-debuginfo-3.0.7-6.el9_2.ppc64le.rpm openssl-debugsource-3.0.7-6.el9_2.ppc64le.rpm openssl-libs-3.0.7-6.el9_2.ppc64le.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.ppc64le.rpm s390x: openssl-3.0.7-6.el9_2.s390x.rpm openssl-debuginfo-3.0.7-6.el9_2.s390x.rpm openssl-debugsource-3.0.7-6.el9_2.s390x.rpm openssl-libs-3.0.7-6.el9_2.s390x.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.s390x.rpm x86_64: openssl-3.0.7-6.el9_2.x86_64.rpm openssl-debuginfo-3.0.7-6.el9_2.i686.rpm openssl-debuginfo-3.0.7-6.el9_2.x86_64.rpm openssl-debugsource-3.0.7-6.el9_2.i686.rpm openssl-debugsource-3.0.7-6.el9_2.x86_64.rpm openssl-libs-3.0.7-6.el9_2.i686.rpm openssl-libs-3.0.7-6.el9_2.x86_64.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.i686.rpm openssl-libs-debuginfo-3.0.7-6.el9_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-3358 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFo1dNzjgjWX9erEAQgzIA//Umqqwi/EqZCm5Ji+lBfbBR39gqJdGRQB 5jxLU/+A1TCTNUT/x+j420fnigF4MDIhh/H0QfK+72Fld2m+CreIqZW+7Xsh0RtN WSGZaf4irML80WhRjSHgsIipN7Nji4tl0xbGmF0uchDdJU84D7xcF8qbzyVXpNeu GBczcwUIqCS7A/1cMQLTmeQPlP1IRs3QMs5d5a3Ao5VrzeLctTt9I5Q2LFnzdqAp WhHNBsQye+510/8ORfVaavUVFM47WhR7rBxW2M/dVnYj51ak85Dk1VIZN5WFXHq+ ZPg6EXXlyXagYKZwYtJEC32v6xd2rjDjrfsbKuT90yH9nkGJ0YcjI6FKOg8K0NcI qs1NNGGzI5ZOAPbTTYENYOiFhKyI0wv8K+GWwzWjTysR6lAhH0WSVEffjAWAY17S 94uSgAGtDu/sVZz5Qxj64352RDtpsigrdg5dbhzkl8eVXjBJ7fi5ynANIMqts0xc KmrbOycn9gfNp6w98qO3/PD+ppADa/BxETbjg8CHlgD0AX92SNOQuI3x62g45iPo 1UrZ07kpLaZPmSJaWGvdSD7jfRq/cxtSB5UAfsXf6Ot++hDvwICDIVAbjW7RCXXZ WbUE1dI4rARGSW8G3DANl5fQrnYh8yqf1mIbCEl38NInWWescvTyB8i1zDWyKrjX AFWo0WjKSQw=naov -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce