OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: read buffer overflow in X.509 certificate verification * openssl: timing attack in RSA Decryption implementation * openssl: double free after calling PEM_read_bio_ex * openssl: use-after-free following BIO_new_NDEF * openssl: invalid pointer dereference in d2i_PKCS7 functions * openssl: NULL dereference validating DSA public key * openssl: X.400 address type confusion in X.509 GeneralName * openssl: NULL dereference during PKCS7 data verification For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. * In FIPS mode, openssl should set a minimum length for passwords in PBKDF2 * stunnel consumes high amount of memory when pestered with TCP connections without a TLS handshake * In FIPS mode, openssl should reject SHAKE as digest for RSA-OAEP or provide an indicator * In FIPS mode, openssl should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * In FIPS mode, openssl should reject RSA signatures with X9.31 padding, or provide an indicator * In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16 - error:03000093:digital envelope routines::command not supported when git clone is run with configured ibmca engine backed by libica.so.4 * OpenSSL FIPS checksum code needs update