Amazon Linux 2023 Security Advisory: ALAS-2024-520
Advisory Release Date: 2024-02-15 02:51 Pacific
Advisory Updated Date: 2024-02-19 20:27 Pacific
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. (CVE-2023-6237)
Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack
The package openssl098e is provided purely for binary compatibility with older Amazon Linux versions. It does not receive security updates. (CVE-2024-0727)
Affected Packages:
openssl
Issue Correction:
Run dnf update openssl --releasever 2023.3.20240219 to update your system.
aarch64:
openssl-snapsafe-libs-debuginfo-3.0.8-1.amzn2023.0.11.aarch64
openssl-libs-3.0.8-1.amzn2023.0.11.aarch64
openssl-libs-debuginfo-3.0.8-1.amzn2023.0.11.aarch64
openssl-debuginfo-3.0.8-1.amzn2023.0.11.aarch64
openssl-snapsafe-libs-3.0.8-1.amzn2023.0.11.aarch64
openssl-perl-3.0.8-1.amzn2023.0.11.aarch64
openssl-3.0.8-1.amzn2023.0.11.aarch64
openssl-debugsource-3.0.8-1.amzn2023.0.11.aarch64
openssl-devel-3.0.8-1.amzn2023.0.11.aarch64
src:
openssl-3.0.8-1.amzn2023.0.11.src
x86_64:
openssl-snapsafe-libs-debuginfo-3.0.8-1.amzn2023.0.11.x86_64
openssl-libs-debuginfo-3.0.8-1.amzn2023.0.11.x86_64
openssl-perl-3.0.8-1.amzn2023.0.11.x86_64
openssl-debuginfo-3.0.8-1.amzn2023.0.11.x86_64
openssl-libs-3.0.8-1.amzn2023.0.11.x86_64
openssl-snapsafe-libs-3.0.8-1.amzn2023.0.11.x86_64
openssl-3.0.8-1.amzn2023.0.11.x86_64
openssl-debugsource-3.0.8-1.amzn2023.0.11.x86_64
openssl-devel-3.0.8-1.amzn2023.0.11.x86_64