Bug 13210

Summary: openssl new security issue CVE-2010-5298
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: filorin, sysadmin-bugs, tmb, wassi
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/595444/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: openssl-1.0.1g-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-04-14 23:29:55 CEST 
A CVE was assigned for a use-after-free flaw in OpenSSL:
http://openwall.com/lists/oss-security/2014/04/14/6

OpenBSD's patch is here:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch

There was a comment on the oss-security thread about something being a "NOP," but I don't know if that's referring to the vulnerability or the patch or something else.  I have the OpenBSD patch in SVN currently, but I'm waiting to make sure it's the correct solution.

For further reference, here's RedHat's bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-5298

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-14 23:30:02 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-04-18 18:11:31 CEST 
Debian has issued an advisory for this on April 17:
https://www.debian.org/security/2014/dsa-2908

I'll double check their patch and push an update next week.

URL: (none) => http://lwn.net/Vulnerabilities/595444/

Comment 2 David Walser 2014-04-21 23:26:40 CEST 
The CVE-2010-5298 patch from OpenBSD is indeed the one Debian used.

Debian also added the patch from the commit referenced in this oss-security thread:
http://openwall.com/lists/oss-security/2014/04/16/4

That's the critical flag with TSA certificates issue referenced in their advisory.  I've added this patch as well.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

A read buffer can be freed even when it still contains data that is used
later on, leading to a use-after-free. Given a race condition in a
multi-threaded application it may permit an attacker to inject data from
one connection into another or cause denial of service (CVE-2010-5298).

Also fixed in this update is a potential security issue with detection of
the "critical" flag for the TSA extended key usage under certain cases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
https://www.debian.org/security/2014/dsa-2908
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.7.mga3
libopenssl-engines1.0.0-1.0.1e-1.7.mga3
libopenssl1.0.0-1.0.1e-1.7.mga3
libopenssl-devel-1.0.1e-1.7.mga3
libopenssl-static-devel-1.0.1e-1.7.mga3
openssl-1.0.1e-8.4.mga4
libopenssl-engines1.0.0-1.0.1e-8.4.mga4
libopenssl1.0.0-1.0.1e-8.4.mga4
libopenssl-devel-1.0.1e-8.4.mga4
libopenssl-static-devel-1.0.1e-8.4.mga4

from SRPMS:
openssl-1.0.1e-1.7.mga3.src.rpm
openssl-1.0.1e-8.4.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Guillaume 2014-04-22 09:44:50 CEST 
Tests done on Mga i586. All is working properly concerning openSSL (access to https pages indeed).

CC: (none) => filorin.mageia

Comment 4 user7 2014-04-22 12:49:43 CEST 
Guillaume did you test on Mga 3 or 4?

CC: (none) => wassi

Comment 5 Guillaume 2014-04-22 13:03:20 CEST 
Oops, forgotten ... Mga4. I add the ok.

Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok

Comment 6 claire robinson 2014-04-22 16:09:43 CEST 
Procedure: https://wiki.mageia.org/en/QA_procedure:Openssl

Whiteboard: MGA3TOO mga4-32-ok => MGA3TOO has_procedure mga4-32-ok

Comment 7 claire robinson 2014-04-22 16:17:00 CEST 
Testing all of them now.
Comment 8 claire robinson 2014-04-22 16:42:09 CEST 
Testing complete.

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2014-04-23 18:18:37 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0187.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED