<html>
    <head>
      <base href="https://bugzilla.rosalinux.ru/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Platform</th>
          <td>2021.1
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_CONFIRMED "
   title="CONFIRMED - [CVE 21] libressl 3.2.0 CVEs found"
   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13551">13551</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[CVE 21] libressl 3.2.0  CVEs found
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>ROSA-based products
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>ROSA Fresh
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>URL</th>
          <td>CVE-2021-46880, CVE-2022-48437, CVE-2023-35784,
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>CONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>System (kernel, glibc, systemd, bash, PAM...)
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Flags</th>
          <td>secteam_verified?
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Please patch CVEs for package libressl version 3.2.0

INFO (CVEs are): libressl 3.2.0
 cves found
CVE-2021-46880
Desc: x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0
errata 006, allows authentication bypass because an error for an unverified
certificate chain is sometimes discarded.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-46880">https://nvd.nist.gov/vuln/detail/CVE-2021-46880</a>
Severity: CRITICAL
CVE-2022-48437
Desc: An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1,
and in OpenBSD before 7.2 errata 001. x509_verify_ctx_add_chain does not store
errors that occur during leaf certificate verification, and therefore an
incorrect error is returned. This behavior occurs when there is an installed
verification callback that instructs the verifier to continue upon detecting an
invalid certificate.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-48437">https://nvd.nist.gov/vuln/detail/CVE-2022-48437</a>
Severity: MEDIUM
CVE-2023-35784
Desc: A double free or use after free could occur after SSL_clear in OpenBSD
7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3
and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-35784">https://nvd.nist.gov/vuln/detail/CVE-2023-35784</a>
Severity: CRITICAL</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>