Tenable SecurityCenter 6.0.0 Multiple Vulnerabilities (TNS-2023-07)

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is running 6.0.0 and is therefore affected by multiple vulnerabilities in OpenSSL prior to version 3.0.8: - An attacker that had observed a genuine connection between a client and a server...

SUSE CVE-2010-4180

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSLOPNETSCAPEREUSECIPHERCHANGEBUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network...

SUSE CVE-2020-7043

An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. tunnel.c mishandles certificate validation because hostname comparisons do not consider '\0' characters, as demonstrated by a good.example.com\x00evil.example.com attack...

SUSE CVE-2021-3449

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension where it was present in the initial ClientHello, but includes a signaturealgorithmscert extension then a NU...

SUSE CVE-2021-3450

The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an...

SUSE CVE-2022-1343

The function OCSPbasicverify verifies the signer certificate on an OCSP response. In the case where the non-default flag OCSPNOCHECKS is used then the response will be positive meaning a successful verification even in the case where the response signing certificate fails to verify. It is...

GHSA-X4QR-2FVF-3MR5 Vulnerable OpenSSL included in cryptography wheels

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and...

roaring-landmask (=0.4.0) potentially affected by CVE-2023-0217 via openssl-src (=300.0.0+3.0.0)

openssl-src CARGO version =300.0.0+3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on openssl-src and may be impacted: - roaring-landmask =0.4.0 Source cves: CVE-2023-0217 Source advisory: OSV:RUSTSEC-2023-0012...

Elastic Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7

Elastic Products are not affected by this issue. On Oct 25, 2022, Elastic became aware of the Forthcoming OpenSSL 3.0.7 Release announcement, which was made available on Nov 1, 2022. The security issues addressed in this release do not affect OpenSSL versions before 3.0. Elastic has performed an...

Latest on OpenSSL 3.0.7 Critical Bug & Security-Fix

Potential disruptions following vulnerabilities found in OpenSSL...

OpenSSL 1.1.1 < 1.1.1q Vulnerability

The version of OpenSSL installed on the remote host is prior to 1.1.1q. It is, therefore, affected by a vulnerability as referenced in the 1.1.1q advisory. - AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under so...

GSD-2022-2274 heap buffer overflow in OpenSSL version 3.0.4

In OpenSSL version 3.0.4 a heap buffer overflow exists in the AVX512 support that can be attacked via network resulting in code execution. This is reachable via four code paths: RSAZ 1024, RSAZ 512, Dual 1024 RSAZ, and Default constant-time Montgomery modular exponentiation. Please note this issu...

USN-5488-1 openssl, openssl1.0 vulnerability

Chancen and Daniel Fiala discovered that OpenSSL incorrectly handled the crehash script. A local attacker could possibly use this issue to execute arbitrary commands when crehash is run...

OpenSSL 1.0.2 < 1.0.2ze Vulnerability

The version of OpenSSL installed on the remote host is prior to 1.0.2ze. It is, therefore, affected by a vulnerability as referenced in the 1.0.2ze advisory. - The crehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some...

ALPINE-CVE-2022-1343

The function OCSPbasicverify verifies the signer certificate on an OCSP response. In the case where the non-default flag OCSPNOCHECKS is used then the response will be positive meaning a successful verification even in the case where the response signing certificate fails to verify. It is...

OpenSSL 1.1.1 < 1.1.1o Vulnerability

The version of OpenSSL installed on the remote host is prior to 1.1.1o. It is, therefore, affected by a vulnerability as referenced in the 1.1.1o advisory. - The crehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operati...

SUSE-SU-2022:1140-1 Security update for python

This update for python rebuilds python against a symbol versioned openssl 1.0.2 to allow usage with openssl 1.1.1. Also the following security issues are fixed: - CVE-2022-0391: Fixed sanitizing URLs containing ASCII newline and tabs in urlparse bsc1195396. - CVE-2021-4189: Make ftplib not trust...

OpenSSL 1.1.1 < 1.1.1m Vulnerability

The version of OpenSSL installed on the remote host is prior to 1.1.1m. It is, therefore, affected by a vulnerability as referenced in the 1.1.1m advisory. - There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1....

Vulnerabilities in OpenSSH affect AIX.

IBM SECURITY ADVISORY First Issued: Thu Jan 6 09:17:41 CST 2022 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/opensshadvisory14.asc https://aix.software.ibm.com/aix/efixes/security/opensshadvisory14.asc...

Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM InfoSphere Information Server

Summary Multiple vulnerabilities in OpenSSL used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID: CVE-2021-23840 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attack...