Debian OpenSSL vulnerabilities

CVE-2022-0778 [HIGH] CVE-2022-0778: openssl - The BN_mod_sqrt() function, which computes a modular square root, contains a bug... The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the i

CVE-2022-4203 [MEDIUM] CVE-2022-4203: openssl - A read buffer overrun can be triggered in X.509 certificate verification, specif... A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

CVE-2022-2097 [MEDIUM] CVE-2022-2097: openssl - AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implem... AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does

CVE-2022-4304 [MEDIUM] CVE-2022-4304: openssl - A timing based side channel exists in the OpenSSL RSA Decryption implementation ... A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v

CVE-2022-1343 [MEDIUM] CVE-2022-1343: openssl - The function `OCSP_basic_verify` verifies the signer certificate on an OCSP resp... The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the O

CVE-2022-1473 [HIGH] CVE-2022-1473: openssl - The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that... The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operat

CVE-2022-1434 [MEDIUM] CVE-2022-1434: openssl - The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the A... The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check

CVE-2021-3711 [CRITICAL] CVE-2021-3711: openssl - In order to decrypt SM2 encrypted data an application is expected to call the AP... In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then all

CVE-2021-3450 [HIGH] CVE-2021-3450: openssl - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certi... The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check

CVE-2021-23840 [HIGH] CVE-2021-23840: openssl - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow ... Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause

CVE-2021-3712 [HIGH] CVE-2021-3712: openssl - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING struct... ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed usi

CVE-2021-23841 [MEDIUM] CVE-2021-23841: openssl - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create... The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently

CVE-2021-3449 [MEDIUM] CVE-2021-3449: openssl - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation Clie... An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denia

CVE-2021-23839 [LOW] CVE-2021-23839: openssl - OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a ser... OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that su

CVE-2021-4160 [LOW] CVE-2021-4160: openssl - There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Ma... There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would

CVE-2021-4044 [HIGH] CVE-2021-4044: openssl - Internally libssl in OpenSSL calls X509_verify_cert() on the client side to veri... Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indica

CVE-2020-1967 [HIGH] CVE-2020-1967: openssl - Server or client applications that call the SSL_check_chain() function during or... Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious pe

CVE-2020-1971 [MEDIUM] CVE-2020-1971: openssl - The X.509 GeneralName type is a generic type for representing different types of... The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer d

CVE-2020-1968 [LOW] CVE-2020-1968: openssl - The Raccoon attack exploits a flaw in the TLS specification which can lead to an... The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploi

CVE-2019-1547 [MEDIUM] CVE-2019-1547: openssl - Normally in OpenSSL EC groups always have a co-factor present and this is used i... Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters ma