DLA-3942-1

Details

CVE-2024-5535 CVE-2024-9143 Debian Bug : 1055473 1061582 1068658 1072113 1074487 1085378

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is
set, with TLSv1.3.

CVE-2024-4741

A use-after-free problem was found in the SSL_free_buffers function.

CVE-2024-5535

Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.

CVE-2024-9143

Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds
memory reads or writes.  This could lead to information disclosure
or possibly remote code execution.

Affected Packages

openssl

Debian 11

Fixed in:

1.1.1n-0+deb11u6

References

ADVISORY

https://security-tracker.debian.org/tracker/DLA-3942-1