Bugzilla – Bug 1219386
VUL-0: CVE-2023-5992: opensc: Side-channel leaks while stripping encryption PKCS#1 padding
Last modified: 2024-05-24 12:30:03 UTC
The OpenSC code handling the PKCS#1 encryption padding removal is not implemented in side-channel resistant way, which can lead to possible leak to private key data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5992 https://bugzilla.redhat.com/show_bug.cgi?id=2248685
Fix for this issue can be found here https://github.com/OpenSC/OpenSC/pull/2948 I will backport it into our codestreams
I'm on it.
Fix for this is already present in 0.25.0, so Factory is ok. Will backport to SLE.
SUSE-SU-2024:1402-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219386 CVE References: CVE-2023-5992 Maintenance Incident: [SUSE:Maintenance:33418](https://smelt.suse.de/incident/33418/) Sources used: openSUSE Leap 15.4 (src): opensc-0.22.0-150400.3.9.1 openSUSE Leap Micro 5.3 (src): opensc-0.22.0-150400.3.9.1 openSUSE Leap Micro 5.4 (src): opensc-0.22.0-150400.3.9.1 openSUSE Leap 15.5 (src): opensc-0.22.0-150400.3.9.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): opensc-0.22.0-150400.3.9.1 SUSE Linux Enterprise Micro 5.3 (src): opensc-0.22.0-150400.3.9.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): opensc-0.22.0-150400.3.9.1 SUSE Linux Enterprise Micro 5.4 (src): opensc-0.22.0-150400.3.9.1 SUSE Linux Enterprise Micro 5.5 (src): opensc-0.22.0-150400.3.9.1 Basesystem Module 15-SP5 (src): opensc-0.22.0-150400.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1625-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219386 CVE References: CVE-2023-5992 Maintenance Incident: [SUSE:Maintenance:33796](https://smelt.suse.de/incident/33796/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): opensc-0.13.0-3.28.1 SUSE Linux Enterprise Server 12 SP5 (src): opensc-0.13.0-3.28.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): opensc-0.13.0-3.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SLE-11 is out of support, so that request won't be submitted. Only SLE-15:Update and SLE-15-SP1:Update are still to be released, but their SRs have already been submitted on IBS: SLE-15-SP1 https://build.suse.de/request/show/329349 SLE-15 https://build.suse.de/request/show/329348 I'm reassigning this to the security team
Just an extra piece of info, regarding opensc no longer being supported on SLE-11, you can double-check that using https://smelt.suse.de, just search for 'opensc', I'm unable to find a direct link.
SUSE-SU-2024:1773-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219386 CVE References: CVE-2023-5992 Maintenance Incident: [SUSE:Maintenance:33736](https://smelt.suse.de/incident/33736/) Sources used: SUSE Linux Enterprise Micro 5.1 (src): opensc-0.19.0-150100.3.28.1 SUSE Linux Enterprise Micro 5.2 (src): opensc-0.19.0-150100.3.28.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): opensc-0.19.0-150100.3.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.