1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1095765: openssl: CVE-2024-12797

    From Salvatore Bonaccorso@21:1/5 to All on Tue Feb 11 20:20:01 2025
    Source: openssl
    Version: 3.4.0-2
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for openssl.

    CVE-2024-12797[0]:
    | Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to
    | authenticate a server may fail to notice that the server was not
    | authenticated, because handshakes don't abort as expected when the
    | SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and
    | DTLS connections using raw public keys may be vulnerable to man-in-
    | middle attacks when server authentication failure is not detected by
    | clients. RPKs are disabled by default in both TLS clients and TLS
    | servers. The issue only arises when TLS clients explicitly enable
    | RPK use by the server, and the server, likewise, enables sending of
    | an RPK instead of an X.509 certificate chain. The affected clients
    | are those that then rely on the handshake to fail when the server's
    | RPK fails to match one of the expected public keys, by setting the
    | verification mode to SSL_VERIFY_PEER. Clients that enable server-
    | side raw public keys can still find out that raw public key
    | verification failed by calling SSL_get_verify_result(), and those
    | that do, and take appropriate action, are not affected. This issue
    | was introduced in the initial implementation of RPK support in
    | OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not
    | affected by this issue.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-12797
    https://www.cve.org/CVERecord?id=CVE-2024-12797
    [1] https://openssl-library.org/news/secadv/20250211.txt

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Feb 11 22:30:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 11 Feb 2025 21:25:23 +0000
    with message-id <E1thxkx-005kg1-A7@fasolo.debian.org>
    and subject line Bug#1095765: fixed in openssl 3.4.1-1
    has caused the Debian Bug report #1095765,
    regarding openssl: CVE-2024-12797
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1095765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095765
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 11 Feb 2025 19:11:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 150; neutral, 93; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:54792 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@debian.org>)
    id 1t