RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2038910 - Rebase to upstream release 3.0.1
Summary: Rebase to upstream release 3.0.1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: openssl
Version: 9.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sahana Prasad
QA Contact: Alicja Kario
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-10 14:22 UTC by Sahana Prasad
Modified: 2022-05-17 15:39 UTC (History)
5 users (show)

Fixed In Version: openssl-3.0.1-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 15:36:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-5991 0 None None None 2022-01-10 15:01:36 UTC
Red Hat Issue Tracker RHELPLAN-107296 0 None None None 2022-01-10 14:29:11 UTC
Red Hat Product Errata RHBA-2022:3900 0 None None None 2022-05-17 15:37:03 UTC

Description Sahana Prasad 2022-01-10 14:22:57 UTC 
Changes between 3.0.0 and 3.0.1

* Fixed invalid handling of X509_verify_cert() internal errors in libssl        
   Internally libssl in OpenSSL calls X509_verify_cert() on the client side to   
   verify a certificate supplied by a server. That function may return a         
   negative return value to indicate an internal error (for example out of       
   memory). Such a negative return value is mishandled by OpenSSL and will cause 
   an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate  
   success and a subsequent call to SSL_get_error() to return the value          
   SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be         
   returned by OpenSSL if the application has previously called                  
   SSL_CTX_set_cert_verify_callback(). Since most applications do not do this    
   the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be     
   totally unexpected and applications may not behave correctly as a result. The 
   exact behaviour will depend on the application but it could result in         
   crashes, infinite loops or other similar incorrect responses.                 
                                                                                 
   This issue is made more serious in combination with a separate bug in OpenSSL 
   3.0 that will cause X509_verify_cert() to indicate an internal error when     
   processing a certificate chain. This will occur where a certificate does not  
   include the Subject Alternative Name extension but where a Certificate        
   Authority has enforced name constraints. This issue can occur even with valid 
   chains.                                                                       
   ([CVE-2021-4044])                                                             
                                                                                                                                               
                                                                                 
 * Corrected a few file name and file reference bugs in the build,               
   installation and setup scripts, which lead to installation verification       
   failures.  Slightly enhanced the installation verification script.                                                                      
                                                                                 
 * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private       
   keys.                                                                         
                                                                                                                                   
                                                                                 
 * Fixed PVK encoder to properly query for the passphrase.
                                                                
                                                                                 
 * Multiple fixes in the OSSL_HTTP API functions.                                
                                                                                                                                         
                                                                                 
 * Allow sign extension in OSSL_PARAM_allocate_from_text() for the               
   OSSL_PARAM_INTEGER data type and return error on negative numbers             
   used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make                     
   OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.          
                                                                                                                                          
                                                                                 
 * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.          
                                                                                                                                              
                                                                                 
 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.                   
                                                                
                                                                                 
 * Multiple threading fixes.                                                     
                                                                                                                                             
                                                                                 
 * Added NULL digest implementation to keep compatibility with 1.1.1 version.    
                                                                                                                                            
                                                                                 
 * Allow fetching an operation from the provider that owns an unexportable key   
   as a fallback if that is still allowed by the property query.
Comment 8 errata-xmlrpc 2022-05-17 15:36:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: openssl), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3900
Note You need to log in before you can comment on or make changes to this bug.