Security update for openssl-3

Announcement ID:	SUSE-SU-2023:0312-1
Rating:	important
References:	bsc#1195149 bsc#1206222 bsc#1207533 bsc#1207534 bsc#1207535 bsc#1207536 bsc#1207538 bsc#1207539 bsc#1207540 bsc#1207541
Cross-References:	CVE-2022-4203 CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0216 CVE-2023-0217 CVE-2023-0286 CVE-2023-0401
CVSS scores:	CVE-2022-4203 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2022-4203 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-4304 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-4304 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-4450 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-4450 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0215 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0215 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0216 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0216 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0217 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0217 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0286 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2023-0286 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2023-0401 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-0401 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP4 openSUSE Leap 15.4 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves eight vulnerabilities and has two security fixes can now be installed.

Description:

This update for openssl-3 fixes the following issues:

Security fixes:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0401: Fixed NULL pointer dereference during PKCS7 data verification (bsc#1207541).
• CVE-2023-0217: Fixed NULL pointer dereference validating DSA public key (bsc#1207540).
• CVE-2023-0216: Fixed invalid pointer dereference in d2i_PKCS7 functions (bsc#1207539).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
• CVE-2022-4203: Fixed read Buffer Overflow with X.509 Name Constraints (bsc#1207535).

Non-security fixes:

• Fix SHA, SHAKE, KECCAK ASM and EC ASM flag passing (bsc#1206222).
• Enable zlib compression support (bsc#1195149).
• Add crypto-policies dependency.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-312=1
• Basesystem Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-312=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • openssl-3-debuginfo-3.0.1-150400.4.17.1
  • openssl-3-debugsource-3.0.1-150400.4.17.1
  • libopenssl-3-devel-3.0.1-150400.4.17.1
  • libopenssl3-3.0.1-150400.4.17.1
  • openssl-3-3.0.1-150400.4.17.1
  • libopenssl3-debuginfo-3.0.1-150400.4.17.1
• openSUSE Leap 15.4 (x86_64)
  • libopenssl3-32bit-3.0.1-150400.4.17.1
  • libopenssl-3-devel-32bit-3.0.1-150400.4.17.1
  • libopenssl3-32bit-debuginfo-3.0.1-150400.4.17.1
• openSUSE Leap 15.4 (noarch)
  • openssl-3-doc-3.0.1-150400.4.17.1
• Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • openssl-3-debuginfo-3.0.1-150400.4.17.1
  • openssl-3-debugsource-3.0.1-150400.4.17.1
  • libopenssl-3-devel-3.0.1-150400.4.17.1
  • libopenssl3-3.0.1-150400.4.17.1
  • openssl-3-3.0.1-150400.4.17.1
  • libopenssl3-debuginfo-3.0.1-150400.4.17.1

References:

• https://www.suse.com/security/cve/CVE-2022-4203.html
• https://www.suse.com/security/cve/CVE-2022-4304.html
• https://www.suse.com/security/cve/CVE-2022-4450.html
• https://www.suse.com/security/cve/CVE-2023-0215.html
• https://www.suse.com/security/cve/CVE-2023-0216.html
• https://www.suse.com/security/cve/CVE-2023-0217.html
• https://www.suse.com/security/cve/CVE-2023-0286.html
• https://www.suse.com/security/cve/CVE-2023-0401.html
• https://bugzilla.suse.com/show_bug.cgi?id=1195149
• https://bugzilla.suse.com/show_bug.cgi?id=1206222
• https://bugzilla.suse.com/show_bug.cgi?id=1207533
• https://bugzilla.suse.com/show_bug.cgi?id=1207534
• https://bugzilla.suse.com/show_bug.cgi?id=1207535
• https://bugzilla.suse.com/show_bug.cgi?id=1207536
• https://bugzilla.suse.com/show_bug.cgi?id=1207538
• https://bugzilla.suse.com/show_bug.cgi?id=1207539
• https://bugzilla.suse.com/show_bug.cgi?id=1207540
• https://bugzilla.suse.com/show_bug.cgi?id=1207541