[Bug 1208393] New: OpenSSL 3.0.8 breaks PKITS test 4.1.5 (which requires DSA parameter inheritance)
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393 Bug ID: 1208393 Summary: OpenSSL 3.0.8 breaks PKITS test 4.1.5 (which requires DSA parameter inheritance) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: otto.hollmann@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Indeed, just decoding the certificate fails:
openssl x509 -noout -text -in ValidDSAParameterInheritanceTest5EE.crt The output includes
Subject Public Key Info: Public Key Algorithm: dsaEncryption Unable to load Public Key 40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458: 40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458: X509v3 extensions:
Upstream issues: https://github.com/openssl/openssl/issues/20233 https://github.com/openssl/openssl/issues/20309 Also it causing build failure of qca:qt5 package and thus blocking release of OpenSSL 3.0.8 with 8 CVE fixes. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393
Otto Hollmann
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393
Otto Hollmann
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393#c1
Jazz
Indeed, just decoding the certificate fails:
openssl x509 -noout -text -in ValidDSAParameterInheritanceTest5EE.crt The output includes
Subject Public Key Info: Public Key Algorithm: dsaEncryption Unable to load Public Key 40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458: 40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458: X509v3 extensions:
Upstream issues: https://github.com/openssl/openssl/issues/20233 https://github.com/openssl/openssl/issues/20309
Also it causing build failure of qca:qt5 package and thus blocking release of OpenSSL 3.0.8 with 8 CVE fixes.
Hi Otto, just checked both upstream bugs. The first one (https://github.com/openssl/openssl/issues/20233) mentions that there will be no change in upstream, as a change according to the RFC 3279 might cause CVE-2023-0217. The second bug (https://github.com/openssl/openssl/issues/20309) was closed without change. Is there any chance that we could have openssl-3 3.0.8 available as it fixes various CVE's? Uninstalling libopenssl3 is currently no workaround, as it will remove hundreds of other packages. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393
http://bugzilla.opensuse.org/show_bug.cgi?id=1208393#c4
--- Comment #4 from OBSbugzilla Bot
participants (1)
-
bugzilla_noreply@suse.com