Mageia 8: Critical OpenSSL DoS Vulnerabilities Identified in 2021-0176
mageia
April 5, 2021
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client
Summary
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted by
this issue. (CVE-2021-3449).
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in the
chain that have explicitly encoded elliptic curve parameters was added as an
additional strict check. An error in the implementation of this check meant
that the result of a previous check to confirm that c...
References
- https://bugs.mageia.org/show_bug.cgi?id=28640
- https://openssl-library.org/news/secadv/20210325.txt
- https://www.cve.org/CVERecord?id=CVE-2021-3449
- https://www.cve.org/CVERecord?id=CVE-2021-3450
Topics Covered
Resolution
SRPMS
- 8/core/openssl-1.1.1k-1.mga8
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 05 Apr 2021
URL: https://advisories.mageia.org/MGASA-2021-0176.html
Type: security
CVE: CVE-2021-3449,
CVE-2021-3450
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!