csaf_suse - suse-su-2023:3011-1

Vulnerability from csaf_suse

Published

2023-07-28 12:17

Modified

2023-07-28 12:17

Summary

Security update for openssl-3

Notes

Title of the patch

Security update for openssl-3

Description of the patch

This update for openssl-3 fixes the following issues: - CVE-2023-2975: Fixed AES-SIV implementation ignores empty associated data entries (bsc#1213383). - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

Patchnames

SUSE-2023-3011,SUSE-SLE-Module-Basesystem-15-SP5-2023-3011,openSUSE-SLE-15.5-2023-3011

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Security update for openssl-3",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "This update for openssl-3 fixes the following issues:\n\n- CVE-2023-2975: Fixed AES-SIV implementation ignores empty associated data entries (bsc#1213383).\n- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).\n",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "SUSE-2023-3011,SUSE-SLE-Module-Basesystem-15-SP5-2023-3011,openSUSE-SLE-15.5-2023-3011",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_3011-1.json",
         },
         {
            category: "self",
            summary: "URL for SUSE-SU-2023:3011-1",
            url: "https://www.suse.com/support/update/announcement/2023/suse-su-20233011-1/",
         },
         {
            category: "self",
            summary: "E-Mail link for SUSE-SU-2023:3011-1",
            url: "https://lists.suse.com/pipermail/sle-updates/2023-July/030618.html",
         },
         {
            category: "self",
            summary: "SUSE Bug 1213383",
            url: "https://bugzilla.suse.com/1213383",
         },
         {
            category: "self",
            summary: "SUSE Bug 1213487",
            url: "https://bugzilla.suse.com/1213487",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2023-2975 page",
            url: "https://www.suse.com/security/cve/CVE-2023-2975/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2023-3446 page",
            url: "https://www.suse.com/security/cve/CVE-2023-3446/",
         },
      ],
      title: "Security update for openssl-3",
      tracking: {
         current_release_date: "2023-07-28T12:17:06Z",
         generator: {
            date: "2023-07-28T12:17:06Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "SUSE-SU-2023:3011-1",
         initial_release_date: "2023-07-28T12:17:06Z",
         revision_history: [
            {
               date: "2023-07-28T12:17:06Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                        product: {
                           name: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                           product_id: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-3.0.8-150500.5.8.1.aarch64",
                        product: {
                           name: "libopenssl3-3.0.8-150500.5.8.1.aarch64",
                           product_id: "libopenssl3-3.0.8-150500.5.8.1.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "openssl-3-3.0.8-150500.5.8.1.aarch64",
                        product: {
                           name: "openssl-3-3.0.8-150500.5.8.1.aarch64",
                           product_id: "openssl-3-3.0.8-150500.5.8.1.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-64bit-3.0.8-150500.5.8.1.aarch64_ilp32",
                        product: {
                           name: "libopenssl-3-devel-64bit-3.0.8-150500.5.8.1.aarch64_ilp32",
                           product_id: "libopenssl-3-devel-64bit-3.0.8-150500.5.8.1.aarch64_ilp32",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-64bit-3.0.8-150500.5.8.1.aarch64_ilp32",
                        product: {
                           name: "libopenssl3-64bit-3.0.8-150500.5.8.1.aarch64_ilp32",
                           product_id: "libopenssl3-64bit-3.0.8-150500.5.8.1.aarch64_ilp32",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64_ilp32",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-3.0.8-150500.5.8.1.i586",
                        product: {
                           name: "libopenssl-3-devel-3.0.8-150500.5.8.1.i586",
                           product_id: "libopenssl-3-devel-3.0.8-150500.5.8.1.i586",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-3.0.8-150500.5.8.1.i586",
                        product: {
                           name: "libopenssl3-3.0.8-150500.5.8.1.i586",
                           product_id: "libopenssl3-3.0.8-150500.5.8.1.i586",
                        },
                     },
                     {
                        category: "product_version",
                        name: "openssl-3-3.0.8-150500.5.8.1.i586",
                        product: {
                           name: "openssl-3-3.0.8-150500.5.8.1.i586",
                           product_id: "openssl-3-3.0.8-150500.5.8.1.i586",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "i586",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "openssl-3-doc-3.0.8-150500.5.8.1.noarch",
                        product: {
                           name: "openssl-3-doc-3.0.8-150500.5.8.1.noarch",
                           product_id: "openssl-3-doc-3.0.8-150500.5.8.1.noarch",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "noarch",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                        product: {
                           name: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                           product_id: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                        product: {
                           name: "libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                           product_id: "libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "openssl-3-3.0.8-150500.5.8.1.ppc64le",
                        product: {
                           name: "openssl-3-3.0.8-150500.5.8.1.ppc64le",
                           product_id: "openssl-3-3.0.8-150500.5.8.1.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                        product: {
                           name: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                           product_id: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-3.0.8-150500.5.8.1.s390x",
                        product: {
                           name: "libopenssl3-3.0.8-150500.5.8.1.s390x",
                           product_id: "libopenssl3-3.0.8-150500.5.8.1.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "openssl-3-3.0.8-150500.5.8.1.s390x",
                        product: {
                           name: "openssl-3-3.0.8-150500.5.8.1.s390x",
                           product_id: "openssl-3-3.0.8-150500.5.8.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                        product: {
                           name: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                           product_id: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                        product: {
                           name: "libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                           product_id: "libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-3.0.8-150500.5.8.1.x86_64",
                        product: {
                           name: "libopenssl3-3.0.8-150500.5.8.1.x86_64",
                           product_id: "libopenssl3-3.0.8-150500.5.8.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                        product: {
                           name: "libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                           product_id: "libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "openssl-3-3.0.8-150500.5.8.1.x86_64",
                        product: {
                           name: "openssl-3-3.0.8-150500.5.8.1.x86_64",
                           product_id: "openssl-3-3.0.8-150500.5.8.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
                        product: {
                           name: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
                           product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sle-module-basesystem:15:sp5",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "openSUSE Leap 15.5",
                        product: {
                           name: "openSUSE Leap 15.5",
                           product_id: "openSUSE Leap 15.5",
                           product_identification_helper: {
                              cpe: "cpe:/o:opensuse:leap:15.5",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
               product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.aarch64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.aarch64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.ppc64le as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.ppc64le",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.s390x as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.s390x",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-3.0.8-150500.5.8.1.x86_64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "libopenssl3-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.aarch64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.aarch64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.ppc64le as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.ppc64le",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.s390x as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.s390x",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-3.0.8-150500.5.8.1.x86_64 as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
            },
            product_reference: "openssl-3-3.0.8-150500.5.8.1.x86_64",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "openssl-3-doc-3.0.8-150500.5.8.1.noarch as component of openSUSE Leap 15.5",
               product_id: "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
            },
            product_reference: "openssl-3-doc-3.0.8-150500.5.8.1.noarch",
            relates_to_product_reference: "openSUSE Leap 15.5",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-2975",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2023-2975",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be misled by removing,\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2023-2975",
               url: "https://www.suse.com/security/cve/CVE-2023-2975",
            },
            {
               category: "external",
               summary: "SUSE Bug 1213383 for CVE-2023-2975",
               url: "https://bugzilla.suse.com/1213383",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2023-07-28T12:17:06Z",
               details: "moderate",
            },
         ],
         title: "CVE-2023-2975",
      },
      {
         cve: "CVE-2023-3446",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2023-3446",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
               "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
               "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
               "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
               "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
               "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2023-3446",
               url: "https://www.suse.com/security/cve/CVE-2023-3446",
            },
            {
               category: "external",
               summary: "SUSE Bug 1213487 for CVE-2023-3446",
               url: "https://bugzilla.suse.com/1213487",
            },
            {
               category: "external",
               summary: "SUSE Bug 1213853 for CVE-2023-3446",
               url: "https://bugzilla.suse.com/1213853",
            },
            {
               category: "external",
               summary: "SUSE Bug 1221185 for CVE-2023-3446",
               url: "https://bugzilla.suse.com/1221185",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  version: "3.1",
               },
               products: [
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "SUSE Linux Enterprise Module for Basesystem 15 SP5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl-3-devel-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl-3-devel-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:libopenssl3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:libopenssl3-32bit-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.aarch64",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.ppc64le",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.s390x",
                  "openSUSE Leap 15.5:openssl-3-3.0.8-150500.5.8.1.x86_64",
                  "openSUSE Leap 15.5:openssl-3-doc-3.0.8-150500.5.8.1.noarch",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2023-07-28T12:17:06Z",
               details: "moderate",
            },
         ],
         title: "CVE-2023-3446",
      },
   ],
}

CVE-2023-3446 (GCVE-0-2023-3446)

Vulnerability from cvelistv5

Published

2023-07-19 11:31

Modified

2024-10-14 14:55

Severity ?

Summary

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

References

▼	URL	Tags
	https://www.openssl.org/news/secadv/20230719.txt	vendor-advisory
	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23	patch
	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb	patch
	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528	patch
	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c	patch

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Version: 3.1.0 ≤ Version: 3.0.0 ≤ Version: 1.1.1 < 1.1.1v Version: 1.0.2 < 1.0.2zi

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T06:55:03.577Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "OpenSSL Advisory",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://www.openssl.org/news/secadv/20230719.txt",
               },
               {
                  name: "3.1.2 git commit",
                  tags: [
                     "patch",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23",
               },
               {
                  name: "3.0.10 git commit",
                  tags: [
                     "patch",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb",
               },
               {
                  name: "1.1.1v git commit",
                  tags: [
                     "patch",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528",
               },
               {
                  name: "1.0.2zi patch (premium)",
                  tags: [
                     "patch",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/07/19/4",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/07/19/5",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/07/19/6",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/07/31/1",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20230803-0011/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202402-08",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/05/16/1",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "OpenSSL",
               vendor: "OpenSSL",
               versions: [
                  {
                     lessThan: "3.1.2",
                     status: "affected",
                     version: "3.1.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.0.10",
                     status: "affected",
                     version: "3.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "1.1.1v",
                     status: "affected",
                     version: "1.1.1",
                     versionType: "custom",
                  },
                  {
                     lessThan: "1.0.2zi",
                     status: "affected",
                     version: "1.0.2",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               user: "00000000-0000-4000-9000-000000000000",
               value: "OSSfuzz",
            },
            {
               lang: "en",
               type: "remediation developer",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Matt Caswell",
            },
         ],
         datePublic: "2023-07-13T00:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Issue summary: Checking excessively long DH keys or parameters may be very slow.<br><br>Impact summary: Applications that use the functions DH_check(), DH_check_ex()<br>or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long<br>delays. Where the key or parameters that are being checked have been obtained<br>from an untrusted source this may lead to a Denial of Service.<br><br>The function DH_check() performs various checks on DH parameters. One of those<br>checks confirms that the modulus ('p' parameter) is not too large. Trying to use<br>a very large modulus is slow and OpenSSL will not normally use a modulus which<br>is over 10,000 bits in length.<br><br>However the DH_check() function checks numerous aspects of the key or parameters<br>that have been supplied. Some of those checks use the supplied modulus value<br>even if it has already been found to be too large.<br><br>An application that calls DH_check() and supplies a key or parameters obtained<br>from an untrusted source could be vulernable to a Denial of Service attack.<br><br>The function DH_check() is itself called by a number of other OpenSSL functions.<br>An application calling any of those other functions may similarly be affected.<br>The other functions affected by this are DH_check_ex() and<br>EVP_PKEY_param_check().<br><br>Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications<br>when using the '-check' option.<br><br>The OpenSSL SSL/TLS implementation is not affected by this issue.<br><br>The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
                  },
               ],
               value: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
            },
         ],
         metrics: [
            {
               format: "other",
               other: {
                  content: {
                     text: "Low",
                  },
                  type: "https://www.openssl.org/policies/secpolicy.html",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-606",
                     description: "CWE-606 Unchecked Input for Loop Condition",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-10-14T14:55:47.238Z",
            orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
            shortName: "openssl",
         },
         references: [
            {
               name: "OpenSSL Advisory",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://www.openssl.org/news/secadv/20230719.txt",
            },
            {
               name: "3.1.2 git commit",
               tags: [
                  "patch",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23",
            },
            {
               name: "3.0.10 git commit",
               tags: [
                  "patch",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb",
            },
            {
               name: "1.1.1v git commit",
               tags: [
                  "patch",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528",
            },
            {
               name: "1.0.2zi patch (premium)",
               tags: [
                  "patch",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Excessive time spent checking DH keys and parameters",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
      assignerShortName: "openssl",
      cveId: "CVE-2023-3446",
      datePublished: "2023-07-19T11:31:34.994Z",
      dateReserved: "2023-06-28T14:21:39.968Z",
      dateUpdated: "2024-10-14T14:55:47.238Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

CVE-2023-2975 (GCVE-0-2023-2975)

Vulnerability from cvelistv5

Published

2023-07-14 11:16

Modified

2024-10-14 14:55

Severity ?

Summary

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.

References

▼	URL	Tags
	https://www.openssl.org/news/secadv/20230714.txt	vendor-advisory
	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc	patch
	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598	patch

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Version: 3.1.0 ≤ Version: 3.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T06:41:04.070Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "OpenSSL Advisory",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://www.openssl.org/news/secadv/20230714.txt",
               },
               {
                  name: "3.1.2 git commit",
                  tags: [
                     "patch",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc",
               },
               {
                  name: "3.0.10 git commit",
                  tags: [
                     "patch",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/07/15/1",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/07/19/5",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20230725-0004/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202402-08",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "OpenSSL",
               vendor: "OpenSSL",
               versions: [
                  {
                     lessThan: "3.1.2",
                     status: "affected",
                     version: "3.1.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.0.10",
                     status: "affected",
                     version: "3.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Juerg Wullschleger (Google)",
            },
            {
               lang: "en",
               type: "remediation developer",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Tomas Mraz",
            },
         ],
         datePublic: "2023-07-07T00:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Issue summary: The AES-SIV cipher implementation contains a bug that causes<br>it to ignore empty associated data entries which are unauthenticated as<br>a consequence.<br><br>Impact summary: Applications that use the AES-SIV algorithm and want to<br>authenticate empty data entries as associated data can be misled by removing,<br>adding or reordering such empty entries as these are ignored by the OpenSSL<br>implementation. We are currently unaware of any such applications.<br><br>The AES-SIV algorithm allows for authentication of multiple associated<br>data entries along with the encryption. To authenticate empty data the<br>application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with<br>NULL pointer as the output buffer and 0 as the input buffer length.<br>The AES-SIV implementation in OpenSSL just returns success for such a call<br>instead of performing the associated data authentication operation.<br>The empty data thus will not be authenticated.<br><br>As this issue does not affect non-empty associated data authentication and<br>we expect it to be rare for an application to use empty associated data<br>entries this is qualified as Low severity issue.",
                  },
               ],
               value: "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be misled by removing,\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
            },
         ],
         metrics: [
            {
               format: "other",
               other: {
                  content: {
                     text: "Low",
                  },
                  type: "https://www.openssl.org/policies/secpolicy.html",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-354",
                     description: "CWE-354 Improper Validation of Integrity Check Value",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-10-14T14:55:45.748Z",
            orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
            shortName: "openssl",
         },
         references: [
            {
               name: "OpenSSL Advisory",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://www.openssl.org/news/secadv/20230714.txt",
            },
            {
               name: "3.1.2 git commit",
               tags: [
                  "patch",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc",
            },
            {
               name: "3.0.10 git commit",
               tags: [
                  "patch",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "AES-SIV implementation ignores empty associated data entries",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
      assignerShortName: "openssl",
      cveId: "CVE-2023-2975",
      datePublished: "2023-07-14T11:16:25.151Z",
      dateReserved: "2023-05-30T10:29:34.539Z",
      dateUpdated: "2024-10-14T14:55:45.748Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_suse

CVE-2023-3446 (GCVE-0-2023-3446)

Vulnerability from cvelistv5

CVE-2023-2975 (GCVE-0-2023-2975)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature