From abf147163e1b9caea29d10576551bf1ab7f6ed292dca865c2188520c91bdf743 Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Tue, 30 Mar 2021 07:22:25 +0000 Subject: [PATCH] Accepting request 882114 from home:jsikes:branches:security:tls Update to 1.1.1k with CVE fixes. Enjoy! OBS-URL: https://build.opensuse.org/request/show/882114 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=90 --- openssl-1_1.changes | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 746b7c9..e80d2a2 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Thu Mar 25 23:51:47 UTC 2021 - Jason Sikes + +- Update to 1.1.1k + * Fixed a problem with verifying a certificate chain when using + the X509_V_FLAG_X509_STRICT flag. This flag enables additional + security checks of the certificates present in a certificate + chain. It is not set by default. ([CVE-2021-3450]) + + * Fixed an issue where an OpenSSL TLS server may crash if sent a + maliciously crafted renegotiation ClientHello message from a + client. If a TLSv1.2 renegotiation ClientHello omits the + signature_algorithms extension (where it was present in the + initial ClientHello), but includes a signature_algorithms_cert + extension then a NULL pointer dereference will result, leading + to a crash and a denial of service attack. + + A server is only vulnerable if it has TLSv1.2 and renegotiation + enabled (which is the default configuration). OpenSSL TLS + clients are not impacted by this issue. ([CVE-2021-3449]) + ------------------------------------------------------------------- Tue Mar 2 19:40:25 UTC 2021 - Pedro Monreal