ELSA-2021-9561 -- Oracle opensslID: oval:org.secpod.oval:def:1505287 | Date: (C)2021-11-26 (M)2023-12-20 |
Class: PATCH | Family: unix |
[1:1.1.1k-4] - Fixes bugs in s390x AES code. - Uses the first detected address family if IPv6 is not available - Reverts the changes in https://github.com/openssl/openssl/pull/13305 as it introduces a regression if server has a DSA key pair, the handshake fails when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted, it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already known - https://trac.nginx.org/nginx/ticket/2071#comment:1 As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx could early callback instead of servername callback. - Resolves: rhbz#1978214 - Related: rhbz#1934534 [1:1.1.1k-3] - Cleansup the peer point formats on renegotiation - Resolves rhbz#1965362 [1:1.1.1k-2] - Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085 - Using safe primes for FIPS DH self-test [1.1.1k-1] - Update to version 1.1.1k [1.1.1g-16] - Use AI_ADDRCONFIG only when explicit host name is given - Allow only curves defined in RFC 8446 in TLS 1.3