SB2025032927 - Anolis OS update for openssl

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2023-3446)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the DH_check(), DH_check_ex() and EVP_PKEY_param_check() function when processing a DH key or DH parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

2) Resource management error (CVE-ID: CVE-2023-3817)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when checking the long DH keys. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

3) Resource management error (CVE-ID: CVE-2023-5678)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within DH_generate_key() and DH_check_pub_key() functions. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

4) Observable discrepancy (CVE-ID: CVE-2024-2408)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the openssl_private_decrypt function in PHP when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default) is vulnerable to the Marvin Attack. A remote attacker can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2024:0134