[Bugs] [Bug 13551] New: [CVE 21] libressl 3.2.0 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:21:25 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13551

          Platform: 2021.1
            Bug ID: 13551
           Summary: [CVE 21] libressl 3.2.0  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-46880, CVE-2022-48437, CVE-2023-35784,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package libressl version 3.2.0

INFO (CVEs are): libressl 3.2.0
 cves found
CVE-2021-46880
Desc: x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0
errata 006, allows authentication bypass because an error for an unverified
certificate chain is sometimes discarded.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46880
Severity: CRITICAL
CVE-2022-48437
Desc: An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1,
and in OpenBSD before 7.2 errata 001. x509_verify_ctx_add_chain does not store
errors that occur during leaf certificate verification, and therefore an
incorrect error is returned. This behavior occurs when there is an installed
verification callback that instructs the verifier to continue upon detecting an
invalid certificate.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-48437
Severity: MEDIUM
CVE-2023-35784
Desc: A double free or use after free could occur after SSL_clear in OpenBSD
7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3
and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-35784
Severity: CRITICAL

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/e57514b8/attachment.html>

Подробная информация о списке рассылки Bugs