Hello, we are planning to do releases that would include these fixes soon. Regards, Tomas Mraz, OpenSSL On Tue, 2024-01-16 at 08:19 +0000, Martin Bonner via openssl-users wrote: > There are now three low priority CVEs against OpenSSL 3.0 (which is > the only one > I care about – others will be interested in 3.1 and 3.2 too). > > Are there any plans to release 3.0.13 with all of these fixed? We > bundle > OpenSSL 3.0 in our software, customer IT departments run scans, and > these > complain about the software containing CVEs. > > Yes, I know the _proper_ use of these scanners is to alert one to > _potential_ > problems, and one should carefully consider each of the reported > vulnerabilities > and decide whether they are relevant or not. The problem is that > this requires > thinking, and people don't like to do that if at all possible - they > just want > to be able to tick the box "scan run and no vulnerabilities found". > > A release of 3.0.13 would allow us to satisfy these customers. > > Martin Bonner > > --------------------------------------------------------------------- > - > > Message: 1 > Date: Mon, 15 Jan 2024 12:32:16 +0000 > From: Tomas Mraz <mailto:tomas@xxxxxxxxxxx> > To: mailto:openssl-project@xxxxxxxxxxx, > mailto:openssl-users@xxxxxxxxxxx, > mailto:openssl-announce@xxxxxxxxxxx > Subject: OpenSSL Security Advisory > Message-ID: <mailto:ZaUl0KnRowwp+iAn@xxxxxxxxxxx> > Content-Type: text/plain; charset=us-ascii > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > OpenSSL Security Advisory [15th January 2024] > ============================================= > > Excessive time spent checking invalid RSA public keys (CVE-2023-6237) > ===================================================================== > > Severity: Low > > Issue summary: Checking excessively long invalid RSA public keys may > take > a long time. > > … > > OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are > vulnerable to > this issue. > > OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue. > > Due to the low severity of this issue we are not issuing new releases > of > OpenSSL at this time. The fix will be included in the next releases > when they > become available. The fix is also available in commit 0b0f7abf (for > 3.2), > commit a830f551 (for 3.1) and commit 18c02492 (for 3.0) in the > OpenSSL git > repository. > > Any email and files/attachments transmitted with it are intended > solely for the use of the individual or entity to whom they are > addressed. If this message has been sent to you in error, you must > not copy, distribute or disclose of the information it contains. > Please notify Entrust immediately and delete the message from your > system. -- Tomáš Mráz, OpenSSL
