CVE-2023-2650
Published 2023-05-30T14:15:00
Just reporting here for your acknowledgement
#
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.
#
At the end of the vulnerability description:
[…]
The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer’s certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.
This means that only large-scale servers and clusters can be strongly affected by this vulnerability, and definitely this is not the case with smartphones.
However, in some other niches, this can be a sensitive problem, especially if it impacts the overall performance of the system, pushing it out of specifications about latency and jittering.
If this happens, the vulnerability is not the root cause, but having not provided real-time levels of running for those applications and kernel threads that require it.
At the moment this is the current state of SailFish OS:
[root@redfishos ~]# pkcon search openssl
Searching by details
Starting
Querying
Finished
Available openssl-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Utilities from the general purpose cryptography library with TLS implementation
Available openssl-debuginfo-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Debug information for package openssl
Available openssl-debugsource-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Debug sources for package openssl
Available openssl-devel-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Files for development of applications which will use OpenSSL
Installed openssl-libs-1.1.1s+git1-1.11.1.jolla.aarch64 (installed) A general purpose cryptography library with TLS implementation
Available openssl-perl-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Perl scripts provided with OpenSSL
Available openssl-static-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Libraries for static linking of applications which will use OpenSSL
Installed openvpn-2.5.5+git1-1.10.1.jolla.aarch64 (installed) A full-featured SSL VPN solution
Available pkcs11-helper-1.27+git1-1.4.3.jolla.aarch64 (jolla) A library for using PKCS#11 providers
Available python-M2Crypto-0.37.1+git2-1.4.5.jolla.aarch64 (jolla) Support for using OpenSSL in python scripts
Available python3-openssl-19.1.0+git2-1.6.2.jolla.aarch64 (jolla) Python wrapper module around the OpenSSL library
Available python3-openssl-debuginfo-19.1.0+git2-1.6.2.jolla.aarch64 (jolla) Debug information for package python3-openssl
Available python3-openssl-debugsource-19.1.0+git2-1.6.2.jolla.aarch64 (jolla) Debug sources for package python3-openssl
Available rubygem-openssl-2.1.3-1.8.1.jolla.aarch64 (jolla) OpenSSL provides SSL, TLS and general purpose cryptography
Available sqlcipher-4.5.0+git2-1.5.4.jolla.aarch64 (jolla) AES encryption for SQLite databases
About the OpenSSL version, here below shown:
[root@redfishos ~]# yes 1 | pkcon download . openssl
[root@redfishos ~]# rpm -qi ./openssl-1.1.1s+git1-1.11.1.jolla.aarch64.rpm
warning: ./openssl-1.1.1s+git1-1.11.1.jolla.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID 47394f23: NOKEY
Name : openssl
Version : 1.1.1s+git1
Release : 1.11.1.jolla
Architecture: aarch64
Install Date: (not installed)
Group : Unspecified
Size : 690314
License : OpenSSL
Signature : RSA/SHA256, Mon 13 Feb 2023 17:32:00 CET, Key ID 5b1e398947394f23
Source RPM : openssl-1.1.1s+git1-1.11.1.jolla.src.rpm
Build Date : Mon 13 Feb 2023 17:27:29 CET
Build Host : phost28
Vendor : meego
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
As you can see the package has been built three months before the CVE-2023-2650 publication therefore it is reasonable to suppose that the SFOS OpenSSL is still vulnerable.
I hope this helps, R-