It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. (CVE-2022-3602, CVE-2022-3786)
It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVPCIPHERmeth_new() function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext. (CVE-2022-3358)
{ "availability": "No subscription required", "binaries": [ { "binary_name": "libssl-dev", "binary_version": "3.0.2-0ubuntu1.7" }, { "binary_name": "libssl-doc", "binary_version": "3.0.2-0ubuntu1.7" }, { "binary_name": "libssl3", "binary_version": "3.0.2-0ubuntu1.7" }, { "binary_name": "libssl3-dbgsym", "binary_version": "3.0.2-0ubuntu1.7" }, { "binary_name": "openssl", "binary_version": "3.0.2-0ubuntu1.7" }, { "binary_name": "openssl-dbgsym", "binary_version": "3.0.2-0ubuntu1.7" } ] }