Overview

File _patchinfo of Package patchinfo.41073

<patchinfo incident="41073">
  <issue tracker="bnc" id="1233366">VUL-0: CVE-2024-33617: qatengine: insufficient control flow management may allow information disclosure via network access</issue>
  <issue tracker="bnc" id="1233365">VUL-0: CVE-2024-31074: qatengine: observable timing discrepancy may allow information disclosure via network access</issue>
  <issue tracker="bnc" id="1233363">VUL-0: CVE-2024-28885: qatengine: Observable discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access.</issue>
  <issue tracker="cve" id="2024-31074"/>
  <issue tracker="cve" id="2024-33617"/>
  <issue tracker="cve" id="2024-28885"/>
  <packager>duwe</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for qatengine, qatlib</summary>
  <description>This update for qatengine, qatlib fixes the following issues:

Note that the 1.6.1 release included in 1.7.0 fixes the following vulnerabilities:

* CVE-2024-28885: Fixed observable discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. (bsc#1233363)
* CVE-2024-31074: Fixed observable timing discrepancy may allow information disclosure via network access  (bsc#1233365)
* CVE-2024-33617: Fixed insufficient control flow management may allow information disclosure via network access (bsc#1233366)

qatengine was updated to 1.7.0:

  * ipp-crypto name change to cryptography-primitives
  * QAT_SW GCM memory leak fix in cleanup function
  * Update limitation section in README for v1.7.0 release
  * Fix build with OPENSSL_NO_ENGINE
  * Fix for build issues with qatprovider in qatlib
  * Bug fixes and README updates to v1.7.0
  * Remove qat_contig_mem driver support
  * Add support for building QAT Engine ENGINE and PROVIDER modules
    with QuicTLS 3.x libraries
  * Fix for DSA issue with openssl3.2
  * Fix missing lower bounds check on index i
  * Enabled SW Fallback support for FBSD
  * Fix for segfault issue when SHIM config section is unavailable
  * Fix for Coverity &amp; Resource leak
  * Fix for RSA failure with SVM enabled in openssl-3.2
  * SM3 Memory Leak Issue Fix
  * Fix qatprovider lib name issue with system openssl

Update to 1.6.0:

  * Fix issue with make depend for QAT_SW
  * QAT_HW GCM Memleak fix &amp; bug fixes
  * QAT2.0 FreeBSD14 intree driver support
  * Fix OpenSSL 3.2 compatibility issues
  * Optimize hex dump logging
  * Clear job tlv on error
  * QAT_HW RSA Encrypt and Decrypt provider support
  * QAT_HW AES-CCM Provider support
  * Add ECDH keymgmt support for provider
  * Fix QAT_HW SM2 memory leak 
  * Enable qaeMemFreeNonZeroNUMA() for qatlib 
  * Fix polling issue for the process that doesn't have QAT_HW instance
  * Fix SHA3 qctx initialization issue &amp; potential memleak 
  * Fix compilation error in SM2 with qat_contig_mem 
  * Update year in copyright information to 2024 

- update to 24.09.0:
  * Improved performance scaling in multi-thread applications
  * Set core affinity mapping based on NUMA
    (libnuma now required for building)
  * bug fixes, see https://github.com/intel/qatlib#resolved-issues

- version update to 24.02.0
  * Support DC NS (NoSession) APIs
  * Support Symmetric Crypto SM3 &amp; SM4
  * Support Asymmetric Crypto SM2
  * Support DC CompressBound APIs
  * Bug Fixes. See Resolved section in README.md
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places