Hi there,
On Fri, 24 Oct 2025, Mark Thomas wrote:
...
...
This thread started as direct result from a discussion at Code & Compliance.
I'll let Dirk-Willem fill in the details but there is - currently - an
expectation that OSS will not be releasing software with known
vulnerabilities. The purpose of this thread is to collect examples as to why
that might not always be the case so that at be fed back and the expectation
corrected.
...
...
The message below arrived this morning. It may be a data point for you.
--
73,
Ged.
8<----------------------------------------------------------------------
From [email protected] Fri Oct 24 00:12:29 2025
Date: Thu, 23 Oct 2025 15:27:40 -0700 (PDT)
From: Slackware Security Team <[email protected]>
To: [email protected]
Subject: [slackware-security] openssl (SSA:2025-296-01)
Received-SPF: pass (mail6.jubileegroup.co.uk: slackware.com:
64.57.102.36 is authorized to use
'[email protected]' in
'mfrom' identity (mechanism 'ip4:64.57.102.36/29' matched)
client-ip=64.57.102.36;
helo=connie.slackware.com)
X-AS-Number: AS11620
([SUCCEED-NET] [US] [64.57.102.36])
X-SPF-hello: none
([connie.slackware.com]=none)
X-SPF-mfrom: pass
([slackware.com]=[v=spf1 ip4:64.57.102.36/29 -all])
(DNS lookups=[0] void lookups=[0])
X-DKIM-auth: none
([2025-10-23 23:12:28Z mail6.jubileegroup.co.uk]
[result=No DKIM signature found in message])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] openssl (SSA:2025-296-01)
New openssl packages are available for Slackware 15.0 to fix a security issue.
Here are the details from the Slackware 15.0 ChangeLog:
+--------------------------+
patches/packages/openssl-1.1.1zd-i586-1_slack15.0.txz: Upgraded.
Apply patch to fix a moderate severity security issue:
Fix incorrect check of unwrapped key size in kek_unwrap_key()
The check is off by 8 bytes so it is possible to overread by up to 8 bytes
and overwrite up to 4 bytes.
Although the consequences of a successful exploit of this vulnerability
could be severe, the probability that the attacker would be able to perform
it is low. Besides, password based (PWRI) encryption support in CMS
messages is very rarely used.
This CVE was fixed by the 1.1.1zd release that is only available to
subscribers to OpenSSL's premium extended support. The patch was prepared
by backporting from the OpenSSL-3.0 repo.
Thanks to Ken Zalewski for the patch!
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2025-9230
(* Security fix *)
patches/packages/openssl-solibs-1.1.1zd-i586-1_slack15.0.txz: Upgraded.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated packages for Slackware 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/openssl-1.1.1zd-i586-1_slack15.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/openssl-solibs-1.1.1zd-i586-1_slack15.0.txz
Updated packages for Slackware x86_64 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/openssl-1.1.1zd-x86_64-1_slack15.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/openssl-solibs-1.1.1zd-x86_64-1_slack15.0.txz
MD5 signatures:
+-------------+
Slackware 15.0 packages:
5917ba00eca52d7e3377c051c02772a6 openssl-1.1.1zd-i586-1_slack15.0.txz
1d8b3745c638b4788d22abf581ab3c2d openssl-solibs-1.1.1zd-i586-1_slack15.0.txz
Slackware x86_64 15.0 packages:
231482c02ec0e0ca42dffafaf8ef9e01 openssl-1.1.1zd-x86_64-1_slack15.0.txz
43b1705338bcd157b2e78f98d61ffd34 openssl-solibs-1.1.1zd-x86_64-1_slack15.0.txz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg openssl-1.1.1zd-i586-1_slack15.0.txz
openssl-solibs-1.1.1zd-i586-1_slack15.0.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
[email protected]
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to [email protected] with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQTsVknaQB4iq/pnNu9qRGPAQBAiMwUCaPqo7gAKCRBqRGPAQBAi
M3h5AJ9XHYnF3TVFgPrrGyQWAuW4qRZo8gCfcjF1lYU67kqQITkGC8nbdT/Pn6E=
=3GkA
-----END PGP SIGNATURE-----
8<----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
