Bug 13551

Summary:	[CVE 21] libressl 3.2.0 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	RESOLVED DUPLICATE	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	e.kosachev, s.matveev, v.potapov, y.tumanov
Version:	All
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2021-46880, CVE-2022-48437, CVE-2023-35784,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-08-24 00:21:25 MSK

Please patch CVEs for package libressl version 3.2.0
  
INFO (CVEs are): libressl 3.2.0
 cves found
CVE-2021-46880
Desc: x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46880
Severity: CRITICAL
CVE-2022-48437
Desc: An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1, and in OpenBSD before 7.2 errata 001. x509_verify_ctx_add_chain does not store errors that occur during leaf certificate verification, and therefore an incorrect error is returned. This behavior occurs when there is an installed verification callback that instructs the verifier to continue upon detecting an invalid certificate.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-48437
Severity: MEDIUM
CVE-2023-35784
Desc: A double free or use after free could occur after SSL_clear in OpenBSD 7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3 and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-35784
Severity: CRITICAL

Comment 1 Vladimir Potapov 2023-10-20 17:51:12 MSK


*** This bug has been marked as a duplicate of bug 13888 ***