CVE-2023-2650 openssl (libssl1.1) 1.1.1n-0+deb11u4

[vomba]

https://avd.aquasec.com/nvd/cve-2023-0464

reported 3 days ago, and a fix update is available.

[yosifkit]

https://tracker.debian.org/news/1432726/accepted-openssl-111n-0deb11u5-source-into-stable-security/

It looks like there are 4 different OpenSSL CVEs fixed in openssl 1.1.1n-0+deb11u5 in Debian Bullseye and they all seem relatively harmless. Three of them deal with "X.509 policy", which is disabled by default (a user who knows that they use policies can update early with apt-get update+upgrade). The 4th is "not affected" in OpenSSL 1.1.1 (default in Debian Bullseye and below):

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates. This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.

I understand that we should update as soon as possible, but I think that these can wait for one week. This would be just after the release of Debian Bookworm and so we'd be rebuilding the images for that anyway. I'd rather not update the images (including all dependent Docker Official Images) two weeks in a row and cause extra churn for users.

Happy to change my mind if any of these CVEs are more nefarious than I can see.