Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a https://www.openssl.org/news/secadv/20230328.txt
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2182591] Affects: fedora-37 [bug 2182596] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2182592] Affects: fedora-37 [bug 2182597] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2182593] Affects: fedora-37 [bug 2182598] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2182594] Affects: fedora-37 [bug 2182599] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2182589] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2182590] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2182595] Affects: fedora-37 [bug 2182600]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0465
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626