Bug 12183

Summary: openssl new security issues CVE-2013-6450 and CVE-2013-4353
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: ennael1, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/578595/
Whiteboard: advisory mga3-64-ok, mga3-64-ok
Source RPM: openssl-1.0.1e-1.2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-01-02 23:54:18 CET 
Debian has issued an advisory on January 1:
http://www.debian.org/security/2014/dsa-2833

They've also fixed CVE-2013-6449, which we have a fix in progress for in Bug 12096.  This is a less severe issue, so I've filed a separate bug for this so as to not hold up the update for that issue.

RedHat has a link to an upstream commit that fixes this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6450

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-02 23:54:26 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-06 22:24:21 CET 
Upstream has released 1.0.1f, fixing this, as well as a new issue just announced today, CVE-2013-4353.
http://www.openssl.org/news/vulnerabilities.html#2013-6450

Cauldron has the patch for CVE-2013-4353 already, and a freeze push request is pending for the addition of the patch for CVE-2013-6450.  Both patches are in Mageia 3 SVN.

Summary: openssl new security issue CVE-2013-6450 => openssl new security issues CVE-2013-6450 and CVE-2013-4353

Comment 2 David Walser 2014-01-07 22:27:53 CET 
Debian has issued an advisory for CVE-2013-4353 today (January 7):
https://lists.debian.org/debian-security-announce/2014/msg00005.html

The DSA will be posted here:
http://www.debian.org/security/2014/dsa-2837

from http://lwn.net/Vulnerabilities/579459/
Comment 3 David Walser 2014-01-09 16:24:32 CET 
openssl-1.0.1e-8.mga4 uploaded for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 4 David Walser 2014-01-09 17:19:55 CET 
Patched package uploaded for Mageia 3.

Advisory:
========================

Updated openssl packages fix security vulnerabilities:

The DTLS retransmission implementation in OpenSSL through 1.0.1e does not
properly maintain data structures for digest and encryption contexts, which
might allow man-in-the-middle attackers to trigger the use of a different
context by interfering with packet delivery (CVE-2013-6450).

A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL
pointer exception. A malicious server could use this flaw to crash a
connecting client (CVE-2013-4353).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450
http://www.openssl.org/news/vulnerabilities.html
http://www.debian.org/security/2014/dsa-2833
http://www.debian.org/security/2014/dsa-2837
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.3.mga3
libopenssl-engines1.0.0-1.0.1e-1.3.mga3
libopenssl1.0.0-1.0.1e-1.3.mga3
libopenssl-devel-1.0.1e-1.3.mga3
libopenssl-static-devel-1.0.1e-1.3.mga3

from openssl-1.0.1e-1.3.mga3.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2014-01-09 17:45:51 CET

Severity: major => critical

Comment 5 Anne Nicolas 2014-01-16 13:34:43 CET 
update to openssl-1.0.1e-1.3 from testings.
I ran all the tests using the wiki page information. (https://wiki.mageia.org/en/QA_procedure:Openssl)

No regression on this new release. ok on x86_64

CC: (none) => ennael1
Whiteboard: (none) => mga3-64-ok

Comment 6 Anne Nicolas 2014-01-16 15:56:10 CET 
Same tests executed on i586. No regression

Whiteboard: mga3-64-ok => mga3-64-ok, mga3-64-ok

Comment 7 Anne Nicolas 2014-01-16 15:58:10 CET 
Update validated.
Thanks.

Advisory:
Updated openssl packages fix security vulnerabilities:

The DTLS retransmission implementation in OpenSSL through 1.0.1e does not
properly maintain data structures for digest and encryption contexts, which
might allow man-in-the-middle attackers to trigger the use of a different
context by interfering with packet delivery (CVE-2013-6450).

A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL
pointer exception. A malicious server could use this flaw to crash a
connecting client (CVE-2013-4353).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450
http://www.openssl.org/news/vulnerabilities.html
http://www.debian.org/security/2014/dsa-2833
http://www.debian.org/security/2014/dsa-2837

SRPM: openssl-1.0.1e-1.3.mga3.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-01-17 01:43:34 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0012.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: mga3-64-ok, mga3-64-ok => advisory mga3-64-ok, mga3-64-ok