Fedora 34: FEDORA-2021-33f8ebd09c Critical: OpenCryptoki Key Security

Opencryptoki implements the PKCS#11 specification v2.11 for a set of

cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the

Trusted Platform Module (TPM) chip. Opencryptoki also brings a software

token implementation that can be used without any cryptographic

hardware.

This package contains the Slot Daemon (pkcsslotd) and general utilities.

When constructing an OpenSSL EC public or private key from PKCS#11 attributes or

ECDH public data, check that the key is valid, i.e. that the point is on the

curve. This prevents one from creating an EC key object via C_CreateObject with

invalid key data. It also prevents C_DeriveKey to derive a secret using ECDH

with an EC public key (public data) that uses a different curve or is invalid by

other means. The problem is fixed in opencryptoki-3.16.0-2

* Tue Aug 24 2021 Than Ngo - 3.16.0-2

- Fixed bz#1990592, allows invalid curve attacks via a specially crafted key

[ 1 ] Bug #1990591 - opencryptoki: allows invalid curve attacks via a specially crafted key

https://bugzilla.redhat.com/show_bug.cgi?id=1990591

su -c 'dnf upgrade --advisory FEDORA-2021-33f8ebd09c' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure