Just reporting here for your acknowledgement
# # An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1: # CVE-2023-2650: possible DoS translating ASN.1 object identifiers. # Ensure you have updated the package to its latest version. #
At the end of the vulnerability description:
The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer’s certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.
This means that only large-scale servers and clusters can be strongly affected by this vulnerability, and definitely this is not the case with smartphones.
However, in some other niches, this can be a sensitive problem, especially if it impacts the overall performance of the system, pushing it out of specifications about latency and jittering.
If this happens, the vulnerability is not the root cause, but having not provided real-time levels of running for those applications and kernel threads that require it.
At the moment this is the current state of SailFish OS:
[root@redfishos ~]# pkcon search openssl Searching by details Starting Querying Finished Available openssl-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Utilities from the general purpose cryptography library with TLS implementation Available openssl-debuginfo-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Debug information for package openssl Available openssl-debugsource-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Debug sources for package openssl Available openssl-devel-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Files for development of applications which will use OpenSSL Installed openssl-libs-1.1.1s+git1-1.11.1.jolla.aarch64 (installed) A general purpose cryptography library with TLS implementation Available openssl-perl-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Perl scripts provided with OpenSSL Available openssl-static-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla) Libraries for static linking of applications which will use OpenSSL Installed openvpn-2.5.5+git1-1.10.1.jolla.aarch64 (installed) A full-featured SSL VPN solution Available pkcs11-helper-1.27+git1-1.4.3.jolla.aarch64 (jolla) A library for using PKCS#11 providers Available python-M2Crypto-0.37.1+git2-1.4.5.jolla.aarch64 (jolla) Support for using OpenSSL in python scripts Available python3-openssl-19.1.0+git2-1.6.2.jolla.aarch64 (jolla) Python wrapper module around the OpenSSL library Available python3-openssl-debuginfo-19.1.0+git2-1.6.2.jolla.aarch64 (jolla) Debug information for package python3-openssl Available python3-openssl-debugsource-19.1.0+git2-1.6.2.jolla.aarch64 (jolla) Debug sources for package python3-openssl Available rubygem-openssl-2.1.3-1.8.1.jolla.aarch64 (jolla) OpenSSL provides SSL, TLS and general purpose cryptography Available sqlcipher-4.5.0+git2-1.5.4.jolla.aarch64 (jolla) AES encryption for SQLite databases
About the OpenSSL version, here below shown:
[root@redfishos ~]# yes 1 | pkcon download . openssl [root@redfishos ~]# rpm -qi ./openssl-1.1.1s+git1-1.11.1.jolla.aarch64.rpm warning: ./openssl-1.1.1s+git1-1.11.1.jolla.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID 47394f23: NOKEY Name : openssl Version : 1.1.1s+git1 Release : 1.11.1.jolla Architecture: aarch64 Install Date: (not installed) Group : Unspecified Size : 690314 License : OpenSSL Signature : RSA/SHA256, Mon 13 Feb 2023 17:32:00 CET, Key ID 5b1e398947394f23 Source RPM : openssl-1.1.1s+git1-1.11.1.jolla.src.rpm Build Date : Mon 13 Feb 2023 17:27:29 CET Build Host : phost28 Vendor : meego URL : http://www.openssl.org/ Summary : Utilities from the general purpose cryptography library with TLS implementation Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.
As you can see the package has been built three months before the CVE-2023-2650 publication therefore it is reasonable to suppose that the SFOS OpenSSL is still vulnerable.
I hope this helps, R-