Bug 1209873 (CVE-2023-0466) - VUL-1: CVE-2023-0466: openssl-3,openssl-1_0_0,openssl-1_1,openssl1,openssl: Certificate policy check not enabled
Summary: VUL-1: CVE-2023-0466: openssl-3,openssl-1_0_0,openssl-1_1,openssl1,openssl: C...
Status: RESOLVED FIXED
Alias: CVE-2023-0466
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/361666/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-0466:2.0:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-29 08:57 UTC by Cathy Hu
Modified: 2024-05-06 08:50 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-03-29 08:57:01 UTC
CVE-2023-0466

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable
the certificate policy check when doing certificate verification. However the
implementation of the function does not enable the check which allows
certificates with invalid or incorrect policies to pass the certificate
verification. As suddenly enabling the policy check could break existing
deployments it was decided to keep the existing behavior of the
X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require
OpenSSL to perform certificate policy check need to use
X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by
calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
argument. Certificate policy checks are disabled by default in OpenSSL and are
not commonly used by applications.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0466
https://bugzilla.redhat.com/show_bug.cgi?id=2182565
https://www.cve.org/CVERecord?id=CVE-2023-0466
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061
https://www.openssl.org/news/secadv/20230328.txt
Comment 2 Cathy Hu 2023-03-29 08:59:58 UTC
It is a documentation bug, low prio.

Tracking all codestreams for openssl-3, openssl-1_0_0, openssl-1_1, openssl1, openssl as affected.
Comment 3 Pedro Monreal Gonzalez 2023-03-29 10:33:35 UTC
Thanks, Hu!

See also the upstream pull requests:
   * 3.1: https://github.com/openssl/openssl/pull/20562
   * 3.0: https://github.com/openssl/openssl/pull/20563
   * 1.1.1: https://github.com/openssl/openssl/pull/20564

Assigning back to Otto.
Comment 4 OBSbugzilla Bot 2023-03-30 13:35:10 UTC
This is an autogenerated message for OBS integration:
This bug (1209873) was mentioned in
https://build.opensuse.org/request/show/1075557 Factory / openssl-3
Comment 5 Otto Hollmann 2023-04-04 14:21:30 UTC
Submitted:

> Codestream              Package            Request
> ------------------------------------------------------------------------------------------
> SUSE:SLE-15-SP5:GA      openssl-3          https://build.suse.de/request/show/293617      
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/293618      
> openSUSE:Factory        openssl-3          https://build.opensuse.org/request/show/1075557
> ------------------------------------------------------------------------------------------
> SUSE:SLE-15-SP5:GA      openssl-1_1        https://build.suse.de/request/show/293619      
> SUSE:SLE-15-SP4:Update  openssl-1_1        https://build.suse.de/request/show/293620      
> SUSE:SLE-15-SP2:Update  openssl-1_1        https://build.suse.de/request/show/293621      
> SUSE:SLE-15-SP1:Update  openssl-1_1        https://build.suse.de/request/show/293622      
> SUSE:SLE-12-SP4:Update  openssl-1_1        https://build.suse.de/request/show/293623      
> openSUSE:Factory        openssl-1_1        https://build.opensuse.org/request/show/1077221
> ------------------------------------------------------------------------------------------
> SUSE:SLE-15:Update      openssl-1_0_0      https://build.suse.de/request/show/293624      
> SUSE:SLE-12-SP4:Update  openssl-1_0_0      https://build.suse.de/request/show/293625      
> SUSE:SLE-12-SP2:Update  openssl            https://build.suse.de/request/show/293626      
> SUSE:SLE-11-SP3:Update  openssl1           https://build.suse.de/request/show/293627      
> openSUSE:Factory        openssl-1_0_0      https://build.opensuse.org/request/show/1077222
> ------------------------------------------------------------------------------------------
> SUSE:SLE-12:Update      compat-openssl098  not affected
> SUSE:SLE-11-SP1:Update  openssl            not affected

Assigning back to security team
Comment 6 Maintenance Automation 2023-04-06 16:30:09 UTC
SUSE-SU-2023:1790-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209624, 1209873, 1209878
CVE References: CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Real Time 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Manager Proxy 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Manager Retail Branch Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Manager Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.62.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-04-07 12:30:06 UTC
SUSE-SU-2023:1794-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
SUSE OpenStack Cloud 9 (src): openssl-1_1-1.1.1d-2.81.1
SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_1-1.1.1d-2.81.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Otto Hollmann 2023-04-11 13:34:29 UTC
Re-submitted:

(In reply to Otto Hollmann from comment #5)
> Codestream              Package            Request
> ------------------------------------------------------------------------------------------
> SUSE:SLE-15-SP1:Update  openssl-1_1        https://build.suse.de/request/show/293622 (declined)
> SUSE:SLE-15-SP1:Update  openssl-1_1        https://build.suse.de/request/show/294219
Comment 10 Maintenance Automation 2023-04-18 12:30:24 UTC
SUSE-SU-2023:1898-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878, 1210060
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.23.1
Basesystem Module 15-SP4 (src): openssl-3-3.0.1-150400.4.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-04-19 08:30:03 UTC
SUSE-SU-2023:1908-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.48.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_1-1.1.0i-150100.14.48.1
SUSE CaaS Platform 4.0 (src): openssl-1_1-1.1.0i-150100.14.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-04-19 08:30:05 UTC
SUSE-SU-2023:1907-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): openssl-1.0.2j-60.92.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-04-19 12:30:04 UTC
SUSE-SU-2023:1911-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.34.1
openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.34.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.34.1
SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.34.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.34.1
SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.34.1
Basesystem Module 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-04-19 20:30:01 UTC
SUSE-SU-2023:1922-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
openSUSE Leap 15.4 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
Legacy Module 15-SP4 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Enterprise Storage 7.1 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE Enterprise Storage 7 (src): openssl-1_0_0-1.0.2p-150000.3.73.1
SUSE CaaS Platform 4.0 (src): openssl-1_0_0-1.0.2p-150000.3.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-04-20 08:30:05 UTC
SUSE-SU-2023:1926-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl1-1.0.1g-0.58.62.1
SUSE Linux Enterprise Server 11 SP4 (src): openssl1-1.0.1g-0.58.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-05-08 09:07:06 UTC
SUSE-SU-2023:1914-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1209873, 1209878
CVE References: CVE-2023-0465, CVE-2023-0466
Sources used:
SUSE OpenStack Cloud 9 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_0_0-1.0.2p-3.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 OBSbugzilla Bot 2023-05-31 08:35:06 UTC
This is an autogenerated message for OBS integration:
This bug (1209873) was mentioned in
https://build.opensuse.org/request/show/1089933 Factory / openssl-3
Comment 18 OBSbugzilla Bot 2023-05-31 10:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1209873) was mentioned in
https://build.opensuse.org/request/show/1089973 Factory / openssl-1_1
Comment 28 Robert Frohl 2024-05-06 08:50:49 UTC
done, closing