[El-errata] ELSA-2023-3722 Moderate: Oracle Linux 9 openssl security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jun 22 18:04:33 UTC 2023 

Oracle Linux Security Advisory ELSA-2023-3722

http://linux.oracle.com/errata/ELSA-2023-3722.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
openssl-3.0.7-16.0.1.el9_2.x86_64.rpm
openssl-devel-3.0.7-16.0.1.el9_2.i686.rpm
openssl-devel-3.0.7-16.0.1.el9_2.x86_64.rpm
openssl-libs-3.0.7-16.0.1.el9_2.i686.rpm
openssl-libs-3.0.7-16.0.1.el9_2.x86_64.rpm
openssl-perl-3.0.7-16.0.1.el9_2.x86_64.rpm

aarch64:
openssl-3.0.7-16.0.1.el9_2.aarch64.rpm
openssl-devel-3.0.7-16.0.1.el9_2.aarch64.rpm
openssl-libs-3.0.7-16.0.1.el9_2.aarch64.rpm
openssl-perl-3.0.7-16.0.1.el9_2.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//openssl-3.0.7-16.0.1.el9_2.src.rpm

Related CVEs:

CVE-2023-0464
CVE-2023-0465
CVE-2023-0466
CVE-2023-1255
CVE-2023-2650




Description of changes:

[3.0.7-16.0.1]
- Replace upstream references [Orabug: 34340177]

[1:3.0.7-16]
- Fix possible DoS translating ASN.1 object identifiers
  Resolves: CVE-2023-2650
- Release the DRBG in global default libctx early
  Resolves: rhbz#2211396

[1:3.0.7-15.1]
- Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode
  Resolves: rhbz#2178030

[1:3.0.7-15]
- Enforce using EMS in FIPS mode - alerts tuning
  Related: rhbz#2157951

[1:3.0.7-14]
- Input buffer over-read in AES-XTS implementation on 64 bit ARM
  Resolves: rhbz#2188554

[1:3.0.7-13]
- Enforce using EMS in FIPS mode
  Resolves: rhbz#2157951
- Fix excessive resource usage in verifying X509 policy constraints
  Resolves: rhbz#2186661
- Fix invalid certificate policies in leaf certificates check
  Resolves: rhbz#2187429
- Certificate policy check not enabled
  Resolves: rhbz#2187431
- OpenSSL rsa_verify_recover key length checks in FIPS mode
  Resolves: rhbz#2186819

[1:3.0.7-12]
- Change explicit FIPS indicator for RSA decryption to unapproved
  Resolves: rhbz#2179379

[1:3.0.7-11]
- Add missing reference to patchfile to add explicit FIPS indicator to RSA
  encryption and RSASVE and fix the gettable parameter list for the RSA
  asymmetric cipher implementation.
  Resolves: rhbz#2179379

[1:3.0.7-10]
- Add explicit FIPS indicator to RSA encryption and RSASVE
  Resolves: rhbz#2179379

[1:3.0.7-9]
- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
  Resolves: rhbz#2175864

[1:3.0.7-8]
- Fix Wpointer-sign compiler warning
  Resolves: rhbz#2178034

[1:3.0.7-7]
- Add explicit FIPS indicators to key derivation functions
  Resolves: rhbz#2175860 rhbz#2175864
- Zeroize FIPS module integrity check MAC after check
  Resolves: rhbz#2175873
- Add explicit FIPS indicator for IV generation in AES-GCM
  Resolves: rhbz#2175868
- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
  salt in PBKDF2 FIPS self-test
  Resolves: rhbz#2178137
- Limit RSA_NO_PADDING for encryption and signature in FIPS mode
  Resolves: rhbz#2178029
- Pairwise consistency tests should use Digest+Sign/Verify
  Resolves: rhbz#2178034
- Forbid DHX keys import in FIPS mode
  Resolves: rhbz#2178030
- DH PCT should abort on failure
  Resolves: rhbz#2178039
- Increase RNG seeding buffer size to 32
  Related: rhbz#2168224

More information about the El-errata mailing list