A corrective release of the OpenSSL 1.1.1j cryptographic library is available that fixes two vulnerabilities:
- CVE-2021-23841 - Null pointer dereference in X509_issuer_and_serial_hash() function, which may crash applications that call this function to process X509 certificates with an incorrect value in the issuer field.
- CVE-2021-23840 - Integer overflow in EVP_CipherUpdate, EVP_EncryptUpdate, and EVP_DecryptUpdate functions, which can result in a return value of 1 indicating success and a negative size value, which can cause applications to crash or disrupt normal behavior.
- CVE-2021-23839 - An oversight in the implementation of protection against rollback to the use of the SSLv2 protocol. Appears only in the old 1.0.2 branch.
The release of the LibreSSL 3.2.4 package has also been published, within which the OpenBSD project develops a fork of OpenSSL aimed at providing a higher level of security. The release is notable for reverting to the old certificate verification code used in LibreSSL 3.1.x due to some applications breaking normal with bindings to work around bugs in the old code. Of the innovations, the addition of implementations of the exporter and autochain components to TLSv1.3 stands out.
In addition, wolfSSL 4.7.0, a compact cryptographic library, has been re-released, optimized for use on CPU- and memory-limited embedded devices such as IoT devices, smart home systems, automotive information systems, routers, and mobile phones. The code is written in C and distributed under the GPLv2 license.
The new version supports RFC 5705 (Keying Material Exporters for TLS) and S/MIME (Secure/Multipurpose Internet Mail Extensions). Added "--enable-reproducible-build" flag to ensure reproducible builds. Added SSL_get_verify_mode API, X509_VERIFY_PARAM API and X509_STORE_CTX API to OpenSSL compatibility layer. The WOLFSSL_PSK_IDENTITY_ALERT macro has been implemented. Added new function _CTX_NoTicketTLSv12 to disable TLS 1.2 session tickets but keep them for TLS 1.3.
Source: opennet.ru