[Touch-packages] [Bug 2054090] Re: Implicit rejection of PKCS#1 v1.5 RSA

Tue, 27 Feb 2024 02:06:41 -0800 

This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.22

---------------
openssl (1.1.1f-1ubuntu2.22) focal-security; urgency=medium

  * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
    - debian/patches/openssl-1.1.1-pkcs1-implicit-rejection.patch:
      Return deterministic random output instead of an error in case
      there is a padding error in crypto/cms/cms_env.c,
      crypto/pkcs7/pk7_doit.c, crypto/rsa/rsa_local.h,
      crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c, crypto/rsa/rsa_pmeth.c,
      doc/man1/pkeyutl.pod, doc/man1/rsautl.pod,
      doc/man3/EVP_PKEY_CTX_ctrl.pod, doc/man3/EVP_PKEY_decrypt.pod,
      doc/man3/RSA_padding_add_PKCS1_type_1.pod,
      doc/man3/RSA_public_encrypt.pod, include/openssl/rsa.h and
      test/recipes/30-test_evp_data/evppkey.txt.

 -- David Fernandez Gonzalez <david.fernandezgonza...@canonical.com>
Fri, 16 Feb 2024 16:41:31 +0100

** Changed in: openssl (Ubuntu Jammy)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2054090

Title:
  Implicit rejection of PKCS#1 v1.5 RSA

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Trusty:
  New
Status in openssl source package in Xenial:
  New
Status in openssl source package in Bionic:
  New
Status in openssl source package in Focal:
  Fix Released
Status in openssl source package in Jammy:
  Fix Released
Status in openssl source package in Mantic:
  Fix Released
Status in openssl source package in Noble:
  New

Bug description:
  OpenSSL 3.2.0 introduced a change on PKCS#1 v1.5 RSA to return random
  output instead of an exception when detecting wrong padding
  (https://github.com/openssl/openssl/pull/13817).

  There are available backports already:

  * 3.0 https://gitlab.com/redhat/centos-
  stream/rpms/openssl/-/blob/c9s/0120-RSA-PKCS15-implicit-
  rejection.patch?ref_type=heads

  * 1.1.1 https://gitlab.com/redhat/centos-
  stream/rpms/openssl/-/blob/c8s/openssl-1.1.1-pkcs1-implicit-
  rejection.patch?ref_type=heads

  
  This change is needed to fix CVE-2023-50782.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2054090/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to