Update OpenSSL 1.1.1K with elimination of two dangerous vulnerabilities

available Corrective release of the OpenSSL 1.1K cryptographic library, which eliminated two vulnerabilities , which has been assigned a high level of danger:

  • CVE-2021-3450 – the ability to accidentally check the certificate certificate when turning on the X509_V_FLAG_X509_STRICT flag Which is disabled by default and applies to additional checks for certificates in the chain. The problem is entered in the implementation of a new check, which prohibits the use of certificates in the chain, which clearly encodes the parameters of the elliptical curve.

    Due to the error in the code, a new check overrid the result made before the verification of the certificate correctness of the certificate center. As a result, certificates certified by a self-signed certificate, which is not associated with a chain of trust with the certifying center, were processed as fully spending confidence. The vulnerability is not manifested in the case of setting the “Purpose” parameter, which is set by default in the client and server certificate procedures in LIBSSL (used for TLS).

  • CVE-2021-3449 – the ability to call the TLS server crash through sending a specially decorated message by the client Clienthello. The problem is related to S.
    Range of the NULL pointer in implementing the Signature_algorithms expansion.
    The problem is manifested only on servers with support for TLSV1.2 and resolution of the re-negotiation of the connection (enabled by default).
/Media reports.