-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2021-33f8ebd09c 2021-09-02 23:45:36.565238 -------------------------------------------------------------------------------- Name : opencryptoki Product : Fedora 34 Version : 3.16.0 Release : 2.fc34 URL : https://github.com/opencryptoki/opencryptoki Summary : Implementation of the PKCS#11 (Cryptoki) specification v2.11 Description : Opencryptoki implements the PKCS#11 specification v2.11 for a set of cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also brings a software token implementation that can be used without any cryptographic hardware. This package contains the Slot Daemon (pkcsslotd) and general utilities. -------------------------------------------------------------------------------- Update Information: When constructing an OpenSSL EC public or private key from PKCS#11 attributes or ECDH public data, check that the key is valid, i.e. that the point is on the curve. This prevents one from creating an EC key object via C_CreateObject with invalid key data. It also prevents C_DeriveKey to derive a secret using ECDH with an EC public key (public data) that uses a different curve or is invalid by other means. The problem is fixed in opencryptoki-3.16.0-2 -------------------------------------------------------------------------------- ChangeLog: * Tue Aug 24 2021 Than Ngo- 3.16.0-2 - Fixed bz#1990592, allows invalid curve attacks via a specially crafted key -------------------------------------------------------------------------------- References: [ 1 ] Bug #1990591 - opencryptoki: allows invalid curve attacks via a specially crafted key https://bugzilla.redhat.com/show_bug.cgi?id=1990591 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-33f8ebd09c' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure