Für jbc.FTX und jbc.FTX API stehen neue Versionen zur Verfügung. Die verwundbare OpenSSL Version wurde ersetzt durch Versionen in denen der Fehler korrigiert wurde. Nun sind die OpenSSL Versionen 1.1.1v und 3.0.10 eingebunden.
Mit dem Update auf OpenSSL 3.0.10 wurden folgende Schwachstellen geschlossen – die vollständige Dokumentation finden Sie auch unter /news/vulnerabilities-3.0.html (openssl.org):
3.0.8
CVE-2022-4203 X.509 Name Constraints Read Buffer Overflow [Moderate severity] 07 February 2023
CVE-2022-4304 Timing Oracle in RSA Decryption [Moderate severity] 07 February 2023
CVE-2022-4450 Double free after calling PEM_read_bio_ex [Moderate severity] 07 February 2023
CVE-2023-0215 Use-after-free following BIO_new_NDEF [Moderate severity] 07 February 2023
CVE-2023-0216 Invalid pointer dereference in d2i_PKCS7 functions [Moderate severity] 07 February 2023
CVE-2023-0217 NULL dereference validating DSA public key [Moderate severity] 07 February 2023
CVE-2023-0286 X.400 address type confusion in X.509 GeneralName [High severity] 07 February 2023
CVE-2023-0401 NULL dereference during PKCS7 data verification [Moderate severity] 07 February 2023
3.0.9
CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints [Low severity] 21 March 2023
CVE-2023-0466 Certificate policy check not enabled [Low severity] 21 March 2023
CVE-2023-1255 Input buffer over-read in AES-XTS implementation on 64 bit ARM [Low severity] 21 March 2023
CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored [Low severity] 23 March 2023
CVE-2023-2650 Possible DoS translating ASN.1 object identifiers [Moderate severity] 30 May 2023
3.0.10
CVE-2023-2975 AES-SIV implementation ignores empty associated data entries [Low severity] 07 July 2023
CVE-2023-3446 Excessive time spent checking DH keys and parameters [Low severity] 13 July 2023
CVE-2023-3817 Excessive time spent checking DH q parameter value [Low severity] 31 July 2023
Mit dem Update auf OpenSSL 1.1.1v wurden die folgenden Schwachstellen geschlossen – die vollständige Dokumentation ist unter /news/vulnerabilities-1.1.1.html (openssl.org) abgebildet.
1.1.1t
CVE-2022-4304 Timing Oracle in RSA Decryption [Moderate severity] 07 February 2023
CVE-2022-4450 Double free after calling PEM_read_bio_ex [Moderate severity] 07 February 2023
CVE-2023-0215 Use-after-free following BIO_new_NDEF [Moderate severity] 07 February 2023
CVE-2023-0286 X.400 address type confusion in X.509 GeneralName [High severity] 07 February 2023
1.1.1u
CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints [Low severity] 21 March 2023
CVE-2023-0466 Certificate policy check not enabled [Low severity] 21 March 2023
CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored [Low severity] 23 March 2023
CVE-2023-2650 Possible DoS translating ASN.1 object identifiers [Moderate severity] 30 May 2023
1.1.1v
CVE-2023-3446 Excessive time spent checking DH keys and parameters [Low severity] 13 July 2023
CVE-2023-3817 Excessive time spent checking DH q parameter value [Low severity] 31 July 2023