There are now three low priority CVEs against OpenSSL 3.0 (which is the only one I care about – others will be interested in 3.1 and 3.2 too). Are there any plans to release 3.0.13 with all of these fixed? We bundle OpenSSL 3.0 in our software, customer IT departments run scans, and these complain about the software containing CVEs. Yes, I know the _proper_ use of these scanners is to alert one to _potential_ problems, and one should carefully consider each of the reported vulnerabilities and decide whether they are relevant or not. The problem is that this requires thinking, and people don't like to do that if at all possible - they just want to be able to tick the box "scan run and no vulnerabilities found". A release of 3.0.13 would allow us to satisfy these customers. Martin Bonner ---------------------------------------------------------------------- Message: 1 Date: Mon, 15 Jan 2024 12:32:16 +0000 From: Tomas Mraz <mailto:tomas@xxxxxxxxxxx> To: mailto:openssl-project@xxxxxxxxxxx, mailto:openssl-users@xxxxxxxxxxx, mailto:openssl-announce@xxxxxxxxxxx Subject: OpenSSL Security Advisory Message-ID: <mailto:ZaUl0KnRowwp+iAn@xxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL Security Advisory [15th January 2024] ============================================= Excessive time spent checking invalid RSA public keys (CVE-2023-6237) ===================================================================== Severity: Low Issue summary: Checking excessively long invalid RSA public keys may take a long time. … OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to this issue. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit 0b0f7abf (for 3.2), commit a830f551 (for 3.1) and commit 18c02492 (for 3.0) in the OpenSSL git repository. Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
