1 |
type: security |
2 |
subject: Updated openssl packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2021-3449 |
5 |
- CVE-2021-3450 |
6 |
src: |
7 |
8: |
8 |
core: |
9 |
- openssl-1.1.1k-1.mga8 |
10 |
description: | |
11 |
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation |
12 |
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits |
13 |
the signature_algorithms extension (where it was present in the initial |
14 |
ClientHello), but includes a signature_algorithms_cert extension then a NULL |
15 |
pointer dereference will result, leading to a crash and a denial of service |
16 |
attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled |
17 |
(which is the default configuration). OpenSSL TLS clients are not impacted by |
18 |
this issue. (CVE-2021-3449). |
19 |
|
20 |
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the |
21 |
certificates present in a certificate chain. It is not set by default. |
22 |
Starting from OpenSSL version 1.1.1h a check to disallow certificates in the |
23 |
chain that have explicitly encoded elliptic curve parameters was added as an |
24 |
additional strict check. An error in the implementation of this check meant |
25 |
that the result of a previous check to confirm that certificates in the chain |
26 |
are valid CA certificates was overwritten. This effectively bypasses the check |
27 |
that non-CA certificates must not be able to issue other certificates. If a |
28 |
"purpose" has been configured then there is a subsequent opportunity for checks |
29 |
that the certificate is a valid CA. All of the named "purpose" values |
30 |
implemented in libcrypto perform this check. Therefore, where a purpose is set |
31 |
the certificate chain will still be rejected even when the strict flag has been |
32 |
used. A purpose is set by default in libssl client and server certificate |
33 |
verification routines, but it can be overridden or removed by an application. |
34 |
In order to be affected, an application must explicitly set the |
35 |
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the |
36 |
certificate verification or, in the case of TLS client or server applications, |
37 |
override the default purpose. (CVE-2021-3450). |
38 |
references: |
39 |
- https://bugs.mageia.org/show_bug.cgi?id=28640 |
40 |
- https://www.openssl.org/news/secadv/20210325.txt |
41 |
ID: MGASA-2021-0176 |