Source: openssl Version: 3.2.1-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.1.5-1 Control: found -1 3.0.11-1~deb12u2
Hi, The following vulnerability was published for openssl. CVE-2024-2511[0]: | Issue summary: Some non-default TLS server configurations can cause | unbounded memory growth when processing TLSv1.3 sessions Impact | summary: An attacker may exploit certain server configurations to | trigger unbounded memory growth that would lead to a Denial of | Service This problem can occur in TLSv1.3 if the non-default | SSL_OP_NO_TICKET option is being used (but not if early_data support | is also configured and the default anti-replay protection is in | use). In this case, under certain conditions, the session cache can | get into an incorrect state and it will fail to flush properly as it | fills. The session cache will continue to grow in an unbounded | manner. A malicious client could deliberately create the scenario | for this failure to force a Denial of Service. It may also happen by | accident in normal operation. This issue only affects TLS servers | supporting TLSv1.3. It does not affect TLS clients. The FIPS | modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL | 1.0.2 is also not affected by this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2511 https://www.cve.org/CVERecord?id=CVE-2024-2511 [1] https://www.openssl.org/news/secadv/20240408.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
