SB2021033118 - Gentoo update for OpenSSL

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-23840)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) NULL pointer dereference (CVE-ID: CVE-2021-23841)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the X509_issuer_and_serial_hash() function when parsing the issuer field in the X509 certificate. A remote attacker can supply a specially crafted certificate, trigger a NULL pointer dereference error and perform a denial of service (DoS) attack.

3) NULL pointer dereference (CVE-ID: CVE-2021-3449)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing TLSv1.2 renegotiations. A remote attacker can send a maliciously crafted renegotiation ClientHello message, which omits the signature_algorithms extension but includes a signature_algorithms_cert extension, trigger a NULL pointer dereference error and crash the server.

4) Security features bypass (CVE-ID: CVE-2021-3450)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in implementation of the X509_V_FLAG_X509_STRICT flag allows an attacker to overwrite a valid CA certificate using any non-CA certificate in the chain. As a result, a remote attacker can perform MitM attack.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/202103-03