Security update for openssl-3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3243-1 Final 1 1 2023-08-08T16:20:09Z current 2023-08-08T16:20:09Z 2023-08-08T16:20:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-3 This update for openssl-3 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/ltss/sle15.5/sle15:latest-2023-3243,SUSE-2023-3243,SUSE-SLE-Module-Basesystem-15-SP5-2023-3243,openSUSE-SLE-15.5-2023-3243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233243-1/ Link for SUSE-SU-2023:3243-1 https://lists.suse.com/pipermail/sle-updates/2023-August/030846.html E-Mail link for SUSE-SU-2023:3243-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1213853 SUSE Bug 1213853 https://www.suse.com/security/cve/CVE-2023-3817/ SUSE CVE CVE-2023-3817 page Container suse/ltss/sle15.5/sle15:latest SUSE Linux Enterprise Module for Basesystem 15 SP5 openSUSE Leap 15.5 libopenssl3-3.0.8-150500.5.11.1 openssl-3-3.0.8-150500.5.11.1 libopenssl-3-devel-3.0.8-150500.5.11.1 libopenssl-3-devel-32bit-3.0.8-150500.5.11.1 libopenssl-3-devel-64bit-3.0.8-150500.5.11.1 libopenssl3-32bit-3.0.8-150500.5.11.1 libopenssl3-64bit-3.0.8-150500.5.11.1 openssl-3-doc-3.0.8-150500.5.11.1 libopenssl3-3.0.8-150500.5.11.1 as a component of Container suse/ltss/sle15.5/sle15:latest openssl-3-3.0.8-150500.5.11.1 as a component of Container suse/ltss/sle15.5/sle15:latest libopenssl-3-devel-3.0.8-150500.5.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 libopenssl3-3.0.8-150500.5.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 openssl-3-3.0.8-150500.5.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 libopenssl-3-devel-3.0.8-150500.5.11.1 as a component of openSUSE Leap 15.5 libopenssl-3-devel-32bit-3.0.8-150500.5.11.1 as a component of openSUSE Leap 15.5 libopenssl3-3.0.8-150500.5.11.1 as a component of openSUSE Leap 15.5 libopenssl3-32bit-3.0.8-150500.5.11.1 as a component of openSUSE Leap 15.5 openssl-3-3.0.8-150500.5.11.1 as a component of openSUSE Leap 15.5 openssl-3-doc-3.0.8-150500.5.11.1 as a component of openSUSE Leap 15.5 Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-3817 Container suse/ltss/sle15.5/sle15:latest:libopenssl3-3.0.8-150500.5.11.1 Container suse/ltss/sle15.5/sle15:latest:openssl-3-3.0.8-150500.5.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.11.1 openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.11.1 openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.11.1 openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.11.1 openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.11.1 openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.11.1 openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233243-1/ https://www.suse.com/security/cve/CVE-2023-3817.html CVE-2023-3817 https://bugzilla.suse.com/1213853 SUSE Bug 1213853 https://bugzilla.suse.com/1216922 SUSE Bug 1216922