[Pkg-openssl-devel] EXTERNAL: Re: Patch for critical CVE in OpenSSL

chilly chilly at cylitic.com
Thu Jun 23 19:21:39 BST 2022 

Hey Kurt,

Thank you for the quick and informative response! I think I saw the c_rehash exploitation and mistook CVE-2022-1292 for CVE-2022-2068. I agree if it is not exploitable over the network a 9.8 is frankly ridiculous as the CVSS3.1 shows the CVE is network exploitable (AV:N) .  I just saw the vulnerable version in the original CVE https://nvd.nist.gov/vuln/detail/CVE-2022-1292 and that we are still on 1.1.1n and assumed it was vulnerable since it matched the vulnerable version number in the CPE specifications. It seems the answer was in front of me!

So in regard to CVE-2022-2068 I see now that there are fixes for each release in the security repos.

Thanks a bunch,

Chilly


From: Kurt Roeckx <kurt at roeckx.be>
Date: Thursday, June 23, 2022 at 13:16
To: chilly <chilly at cylitic.com>
Cc: pkg-openssl-devel at lists.alioth.debian.org <pkg-openssl-devel at lists.alioth.debian.org>
Subject: EXTERNAL: Re: [Pkg-openssl-devel] Patch for critical CVE in OpenSSL
On Thu, Jun 23, 2022 at 04:45:23PM +0000, chilly wrote:
> Hello everyone!
>
> First time messaging this mailing list but at the moment there is a pretty nasty CVE for OpenSSL https://nvd.nist.gov/vuln/detail/CVE-2022-1292. It’s a 9.8/10 command execution and has already been patched (since 1.1.1p for stable). Looking at https://security-tracker.debian.org/tracker/source-package/openssl I see that the patch hasn’t deployed yet and I just wanted to bring that to everyone’s attention. If anyone needs help maintaining the package please let me know!

If you look at the security-tracker page you've linked to, you'll see it
in the resolved issues section. If you go to
https://security-tracker.debian.org/tracker/CVE-2022-1292 you'll see
that it's fixed in all suites.

The 9.8/10 is really just plain wrong, it's not exploitable over the
network.

There is also CVE-2022-2068, which is very simular, and hasn't been
fixed in all suites yet. It's unlikely that this will actually
affect you.


Kurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20220623/f35bb5e6/attachment.htm>

More information about the Pkg-openssl-devel mailing list