-------------------------------------------------------------------------
Debian LTS Advisory DLA-3942-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 31, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : openssl
Version : 1.1.1n-0+deb11u6
CVE ID : CVE-2023-5678 CVE-2024-0727 CVE-2024-2511 CVE-2024-4741
CVE-2024-5535 CVE-2024-9143
Debian Bug : 1055473 1061582 1068658 1072113 1074487 1085378
Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets
Layer toolkit.
CVE-2023-5678
A denial of service could occur with excessively long X9.42 DH keys.
CVE-2024-0727
A denial of service could occur with a null field in a PKCS12 file.
CVE-2024-2511
A denial of service could occur when the SSL_OP_NO_TICKET flag is
set, with TLSv1.3.
CVE-2024-4741
A use-after-free problem was found in the SSL_free_buffers function.
CVE-2024-5535
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.
CVE-2024-9143
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds
memory reads or writes. This could lead to information disclosure
or possibly remote code execution.
For Debian 11 bullseye, these problems have been fixed in version
1.1.1n-0+deb11u6.
We recommend that you upgrade your openssl packages.
For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature