mirror of
https://git.yoctoproject.org/poky
synced 2026-06-01 15:52:39 +02:00
d6f3ce1651
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. The CVE-2023-50781 in M2Crypto is addressed by modifying OpenSSL because M2Crypto relies on OpenSSL for its cryptographic operations.The issue stems from OpenSSL’s RSA PKCS#1 v1.5 padding verification being vulnerable to Bleichenbacher-type attacks.To mitigate this, OpenSSL introduced an implicit rejection mechanism in the RSA PKCS#1 v1.5 padding.Therefore, resolving the vulnerability requires changes within OpenSSL itself to ensure M2Crypto’s security. References: https://nvd.nist.gov/vuln/detail/CVE-2023-50781 https://github.com/openssl/openssl/pull/13817/commits https://todo.sr.ht/~mcepl/m2crypto/342?__goaway_challenge=meta-refresh&__goaway_id=45a03d6accb7b343867110db1f7fb334 (From OE-Core rev: d24c4923d6f7a25bdc3ec5d4ac6bee32bb0bae88) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>