Source: openssl Version: 3.5.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for openssl. CVE-2025-4575[0]: | Issue summary: Use of -addreject option with the openssl x509 | application adds a trusted use instead of a rejected use for a | certificate. Impact summary: If a user intends to make a trusted | certificate rejected for a particular use it will be instead marked | as trusted for that use. A copy & paste error during minor | refactoring of the code introduced this issue in the OpenSSL 3.5 | version. If, for example, a trusted CA certificate should be trusted | only for the purpose of authenticating TLS servers but not for CMS | signature verification and the CMS signature verification is | intended to be marked as rejected with the -addreject option, the | resulting CA certificate will be trusted for CMS signature | verification purpose instead. Only users which use the trusted | certificate format who use the openssl x509 command line application | to add rejected uses are affected by this issue. The issues | affecting only the command line application are considered to be Low | severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are | not affected by this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 | and 1.0.2 are also not affected by this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-4575 https://www.cve.org/CVERecord?id=CVE-2025-4575 [1] https://openssl-library.org/news/secadv/20250522.txt Regards, Salvatore
