-------------------------------------------------------------------------
Debian LTS Advisory DLA-3942-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Sean Whitton
October 31, 2024                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : openssl
Version        : 1.1.1n-0+deb11u6
CVE ID         : CVE-2023-5678 CVE-2024-0727 CVE-2024-2511 CVE-2024-4741
                 CVE-2024-5535 CVE-2024-9143
Debian Bug     : 1055473 1061582 1068658 1072113 1074487 1085378

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets
Layer toolkit.

CVE-2023-5678

    A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

    A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

    A denial of service could occur when the SSL_OP_NO_TICKET flag is
    set, with TLSv1.3.

CVE-2024-4741

    A use-after-free problem was found in the SSL_free_buffers function.

CVE-2024-5535

    Calling the OpenSSL API function SSL_select_next_proto with an empty
    supported client protocols buffer may cause a crash or memory
    contents to be sent to the peer.

CVE-2024-9143

    Use of the low-level GF(2^m) elliptic curve APIs with untrusted
    explicit values for the field polynomial can lead to out-of-bounds
    memory reads or writes.  This could lead to information disclosure
    or possibly remote code execution.

For Debian 11 bullseye, these problems have been fixed in version
1.1.1n-0+deb11u6.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3942-1: openssl Security Advisory Updates

October 31, 2024
Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit

Summary

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is
set, with TLSv1.3.

CVE-2024-4741

A use-after-free problem was found in the SSL_free_buffers function.

CVE-2024-5535

Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.

CVE-2024-9143

Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds
memory reads or writes. This could lead to information disclosure
or possibly remote code execution.

For Debian 11 bullseye, these problems have been fixed in version
1.1.1n-0+deb11u6.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : openssl
Version : 1.1.1n-0+deb11u6
CVE ID : CVE-2023-5678 CVE-2024-0727 CVE-2024-2511 CVE-2024-4741
Debian Bug : 1055473 1061582 1068658 1072113 1074487 1085378

Related News

Google Releases Chrome 130 with Critical Security Fixes for 17 Flaws
3 - 5 min read
Google recently unveiled Chrome 130 , an update that addresses several security vulnerabilities to ensure the web browser's safety and reliability.
U.S. Investigation into China-Backed Telecom Companies Hack: The Role & Risks of Encryption Backdoors
3 - 5 min read
U.S. authorities are on high alert as they investigate an alleged Chinese state-sponsored hack targeting major U.S. telecommunications companies.
FASTCash Linux Malware: A New Cybercrime Menace Targeting Payment Switch Systems
3 - 5 min read
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants
Optimizing CWPP on Linux Servers: Best Practices and Configurations
3 - 6 min read
Cloud Workload Protection Platforms are now essential for securing virtual environments. These provide a robust security layer vital for addressing
The Infiltration of Supply Chain Attacks in Open-Source Software Management
3 - 6 min read
Open-source projects are renowned for their collaborative nature and widespread adoption, yet more sophisticated supply chain attacks target them
Strengthen Your Linux Software Development Pipeline with Code Security Scanners
3 - 6 min read
Developers recognize the critical nature of protecting software systems as cyberattacks grow more sophisticated, thus necessitating robust security
Everything You Need to Know About Cloud Security Posture Management
3 - 5 min read
Many companies are transitioning from physical servers to cloud operations, but this transformation brings new challenges. Cloud Security Posture
Understanding the Critical Oath-Toolkit Vulnerability and Its Implications for Admins
3 - 5 min read
As Linux security threats advance and evolve, vulnerabilities often surface unexpectedly, exposing systems to potential exploitation. SUSE

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved