Bug 22842

Summary: openssl new security issue CVE-2018-0739
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok mga6-32-ok
Source RPM: openssl-1.0.2n-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-03-31 17:42:06 CEST 
Upstream has issued an advisory on March 27:
https://www.openssl.org/news/secadv/20180327.txt

The issue is fixed in 1.0.2o.

Mageia 5 is also affected.

Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Openssl

Advisory:
========================

Updated openssl packages fix security vulnerability:

Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with excessive
recursion. This could result in a Denial Of Service attack. There are no such
structures used within SSL/TLS that come from untrusted sources so this is
considered safe (CVE-2018-0739).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
https://www.openssl.org/news/secadv/20180327.txt
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.2o-1.mga5
libopenssl-engines1.0.0-1.0.2o-1.mga5
libopenssl1.0.0-1.0.2o-1.mga5
libopenssl-devel-1.0.2o-1.mga5
libopenssl-static-devel-1.0.2o-1.mga5
openssl-1.0.2o-1.mga6
libopenssl-engines1.0.0-1.0.2o-1.mga6
libopenssl1.0.0-1.0.2o-1.mga6
libopenssl-devel-1.0.2o-1.mga6
libopenssl-static-devel-1.0.2o-1.mga6
openssl-perl-1.0.2o-1.mga6

from SRPMS:
openssl-1.0.2o-1.mga5.src.rpm
openssl-1.0.2o-1.mga6.src.rpm
David Walser 2018-03-31 17:42:19 CEST

Whiteboard: (none) => MGA5TOO
Keywords: (none) => has_procedure

Comment 1 Brian Rockwell 2018-04-02 16:20:03 CEST 
$ uname -a
Linux localhost 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


The following 5 packages are going to be installed:

- lib64openssl-engines1.0.0-1.0.2o-1.mga6.x86_64
- lib64openssl1.0.0-1.0.2o-1.mga6.x86_64
- openssl-1.0.2o-1.mga6.x86_64
- openssl-perl-1.0.2o-1.mga6.x86_64
- perl-WWW-Curl-4.170.0-12.mga6.x86_64

151KB of additional disk space will be used.

1.6MB of packages will be retrieved.

Is it ok to continue?


$ openssl version
OpenSSL 1.0.2o  27 Mar 2018


$ openssl speed

I let it run through the whole gamut of tests

Works as designed.

CC: (none) => brtians1
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 2 Brian Rockwell 2018-04-02 16:53:12 CEST 
$ uname -a
Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

The following 4 packages are going to be installed:

- lib64openssl-devel-1.0.2o-1.mga5.x86_64
- lib64openssl-engines1.0.0-1.0.2o-1.mga5.x86_64
- lib64openssl1.0.0-1.0.2o-1.mga5.x86_64
- openssl-1.0.2o-1.mga5.x86_64

3.5KB of additional disk space will be used.

2.8MB of packages will be retrieved.

Is it ok to continue?


$ openssl version
OpenSSL 1.0.2o  27 Mar 2018

$ openssl speed

let it run through the whole gamut

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 3 Brian Rockwell 2018-04-02 17:10:44 CEST 
also ran to an internal server

$ openssl s_time -connect  server:443


1261 connections in 0.80s; 1576.25 connections/user sec, bytes read 0
1261 connections in 31 real seconds, 0 bytes read per connection
Comment 4 Brian Rockwell 2018-04-02 17:44:47 CEST 
$ uname -a
Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 20:41:03 UTC 2018 i686 i686 i686 GNU/Linux


$ openssl version
OpenSSL 1.0.2o  27 Mar 2018

$ openssl speed
Doing mdc2 for 3s on 16 size blocks: 1696395 mdc2's in 2.99s
etc. etc.

Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok

Comment 5 Brian Rockwell 2018-04-03 01:13:01 CEST 
$ uname -a
Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux


Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 13 packages are going to be installed:

- glibc-devel-2.22-28.mga6.i586
- kernel-userspace-headers-4.14.32-1.mga6.i586
- libopenssl-devel-1.0.2o-1.mga6.i586
- libopenssl-engines1.0.0-1.0.2o-1.mga6.i586
- libopenssl-static-devel-1.0.2o-1.mga6.i586
- libopenssl1.0.0-1.0.2o-1.mga6.i586
- librpm7-4.13.1-3.2.mga6.i586
- libzlib-devel-1.2.11-4.1.mga6.i586
- openssl-1.0.2o-1.mga6.i586
- openssl-perl-1.0.2o-1.mga6.i586
- perl-WWW-Curl-4.170.0-12.mga6.i586
- python3-rpm-4.13.1-3.2.mga6.i586
- rpm-4.13.1-3.2.mga6.i586

27MB of additional disk space will be used.

10MB of packages will be retrieved.



$ openssl version
OpenSSL 1.0.2o  27 Mar 2018

–I went ahead and updated the server openssl as well then ran the below command

$ openssl s_time -connect <server>

it worked

$ openssl speed rsa -multi 2
Forked child 0
Forked child 1
+DTP:512:private:rsa:10
+DTP:512:private:rsa:10
etc.

I let the following run until completion

$ openssl speed

working as designed.

Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok => MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok mga6-32-ok

Comment 6 Lewis Smith 2018-04-03 11:22:59 CEST 
Super work, Brian. Advisoried, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-04-03 20:49:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0190.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED