Bugzilla – Bug 1209873
VUL-1: CVE-2023-0466: openssl-3,openssl-1_0_0,openssl-1_1,openssl1,openssl: Certificate policy check not enabled
Last modified: 2024-05-06 08:50:49 UTC
CVE-2023-0466 The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0466 https://bugzilla.redhat.com/show_bug.cgi?id=2182565 https://www.cve.org/CVERecord?id=CVE-2023-0466 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061 https://www.openssl.org/news/secadv/20230328.txt
It is a documentation bug, low prio. Tracking all codestreams for openssl-3, openssl-1_0_0, openssl-1_1, openssl1, openssl as affected.
Thanks, Hu! See also the upstream pull requests: * 3.1: https://github.com/openssl/openssl/pull/20562 * 3.0: https://github.com/openssl/openssl/pull/20563 * 1.1.1: https://github.com/openssl/openssl/pull/20564 Assigning back to Otto.
This is an autogenerated message for OBS integration: This bug (1209873) was mentioned in https://build.opensuse.org/request/show/1075557 Factory / openssl-3
Submitted: > Codestream Package Request > ------------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:GA openssl-3 https://build.suse.de/request/show/293617 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/293618 > openSUSE:Factory openssl-3 https://build.opensuse.org/request/show/1075557 > ------------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:GA openssl-1_1 https://build.suse.de/request/show/293619 > SUSE:SLE-15-SP4:Update openssl-1_1 https://build.suse.de/request/show/293620 > SUSE:SLE-15-SP2:Update openssl-1_1 https://build.suse.de/request/show/293621 > SUSE:SLE-15-SP1:Update openssl-1_1 https://build.suse.de/request/show/293622 > SUSE:SLE-12-SP4:Update openssl-1_1 https://build.suse.de/request/show/293623 > openSUSE:Factory openssl-1_1 https://build.opensuse.org/request/show/1077221 > ------------------------------------------------------------------------------------------ > SUSE:SLE-15:Update openssl-1_0_0 https://build.suse.de/request/show/293624 > SUSE:SLE-12-SP4:Update openssl-1_0_0 https://build.suse.de/request/show/293625 > SUSE:SLE-12-SP2:Update openssl https://build.suse.de/request/show/293626 > SUSE:SLE-11-SP3:Update openssl1 https://build.suse.de/request/show/293627 > openSUSE:Factory openssl-1_0_0 https://build.opensuse.org/request/show/1077222 > ------------------------------------------------------------------------------------------ > SUSE:SLE-12:Update compat-openssl098 not affected > SUSE:SLE-11-SP1:Update openssl not affected Assigning back to security team
SUSE-SU-2023:1790-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209624, 1209873, 1209878 CVE References: CVE-2023-0464, CVE-2023-0465, CVE-2023-0466 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Real Time 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Manager Proxy 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Manager Retail Branch Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Manager Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1794-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: SUSE OpenStack Cloud 9 (src): openssl-1_1-1.1.1d-2.81.1 SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Re-submitted: (In reply to Otto Hollmann from comment #5) > Codestream Package Request > ------------------------------------------------------------------------------------------ > SUSE:SLE-15-SP1:Update openssl-1_1 https://build.suse.de/request/show/293622 (declined) > SUSE:SLE-15-SP1:Update openssl-1_1 https://build.suse.de/request/show/294219
SUSE-SU-2023:1898-1: An update that solves two vulnerabilities and has one fix can now be installed. Category: security (moderate) Bug References: 1209873, 1209878, 1210060 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.23.1 Basesystem Module 15-SP4 (src): openssl-3-3.0.1-150400.4.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1908-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.48.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.48.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_1-1.1.0i-150100.14.48.1 SUSE CaaS Platform 4.0 (src): openssl-1_1-1.1.0i-150100.14.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1907-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): openssl-1.0.2j-60.92.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1911-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.34.1 openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.34.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.34.1 SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.34.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.34.1 SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.34.1 Basesystem Module 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1922-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: openSUSE Leap 15.4 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 Legacy Module 15-SP4 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Enterprise Storage 7.1 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE Enterprise Storage 7 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 SUSE CaaS Platform 4.0 (src): openssl-1_0_0-1.0.2p-150000.3.73.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1926-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl1-1.0.1g-0.58.62.1 SUSE Linux Enterprise Server 11 SP4 (src): openssl1-1.0.1g-0.58.62.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1914-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209873, 1209878 CVE References: CVE-2023-0465, CVE-2023-0466 Sources used: SUSE OpenStack Cloud 9 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1209873) was mentioned in https://build.opensuse.org/request/show/1089933 Factory / openssl-3
This is an autogenerated message for OBS integration: This bug (1209873) was mentioned in https://build.opensuse.org/request/show/1089973 Factory / openssl-1_1
done, closing