Bug 24434

Summary: openssl new security issue CVE-2019-1559
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: openssl-1.0.2q-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-02-27 04:04:32 CET 
Upstream has issued an advisory today (February 26):
https://www.openssl.org/news/secadv/20190226.txt

The issue is fixed upstream in 1.0.2r (1.1.0 isn't affected).

Updated packages (including compat-openssl10 in Cauldron) uploaded for Mageia 6 and Cauldron.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Openssl

Advisory:
========================

Updated openssl packages fix security vulnerability:

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data
(CVE-2019-1559).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
https://www.openssl.org/news/secadv/20190226.txt
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.2r-1.mga6
libopenssl-engines1.0.0-1.0.2r-1.mga6
libopenssl1.0.0-1.0.2r-1.mga6
libopenssl-devel-1.0.2r-1.mga6
libopenssl-static-devel-1.0.2r-1.mga6
openssl-perl-1.0.2r-1.mga6

from openssl-1.0.2r-1.mga6.src.rpm
David Walser 2019-02-27 04:04:48 CET

Keywords: (none) => has_procedure

Comment 1 Len Lawrence 2019-02-27 09:20:02 CET 
mga6, x86_64

Packages updated cleanly.
Testing this later today using the published procedure and including a connection test across the LAN.
.

CC: (none) => tarazed25

Comment 2 PC LX 2019-02-27 11:29:06 CET 
Installed and tested without issue.

Tests included:
- apache plus apache_mod (HTTPS requests, sslscan, online SSL testing);
- sslscan several servers (HTTPS/443, IMAPS/993);
- wget https://example.com/ and other HTTPS URLs;
- links https://example.com/ and other HTTPS URLs;
- PHP script that make use of php-openssl;
- mariadb server (CLI client, phpmyadmin, php scripts);
- dovecot server (sslscan, roundcubemail, kmail, k9);
- normal workstation usage (lots of stuff uses openssl even if indirectly).

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 4.14.100-desktop-1.mga6 #1 SMP Fri Feb 15 09:29:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep openssl | sort
lib64openssl1.0.0-1.0.2r-1.mga6
lib64openssl-engines1.0.0-1.0.2r-1.mga6
libopenssl1.0.0-1.0.2r-1.mga6
libopenssl-engines1.0.0-1.0.2r-1.mga6
openssl-1.0.2r-1.mga6
php-openssl-7.2.14-1.mga6

CC: (none) => mageia

Comment 3 Brian Rockwell 2019-03-01 17:42:31 CET 
$ uname -a
Linux localhost.localdomain 4.14.104-desktop-2.mga6 #1 SMP Wed Feb 27 17:08:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


The following 5 packages are going to be installed:

- lib64openssl-engines1.0.0-1.0.2r-1.mga6.x86_64
- lib64openssl1.0.0-1.0.2r-1.mga6.x86_64
- openssl-1.0.2r-1.mga6.x86_64
- openssl-perl-1.0.2r-1.mga6.x86_64
- perl-WWW-Curl-4.170.0-12.mga6.x86_64

151KB of additional disk space will be used.

1.6MB of packages will be retrieved.


-- after installation --

$ openssl version
OpenSSL 1.0.2r  26 Feb 2019

$ openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
...etc..etc...etc...

$ openssl ciphers -v 'AES+HIGH'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
...etc....


bash-4.3$ openssl speed
Doing mdc2 for 3s on 16 size blocks: 1586052 mdc2's in 3.00s
Doing mdc2 for 3s on 64 size blocks: 429949 mdc2's in 3.00s
Doing mdc2 for 3s on 256 size blocks: 109377 mdc2's in 3.00s
Doing mdc2 for 3s on 1024 size blocks: 27287 mdc2's in 3.00s
Doing mdc2 for 3s on 8192 size blocks: 3410 mdc2's in 3.00s
Doing md4 for 3s on 16 size blocks: 8497095 md4's in 3.00s
Doing md4 for 3s on 64 size blocks: 6802666 md4's in 3.00s
Doing md4 for 3s on 256 size blocks: 4253263 md4's in 3.00s
Doing md4 for 3s on 1024 size blocks: 1707490 md4's in 3.00s
Doing md4 for 3s on 8192 size blocks: 259572 md4's in 2.99s
Doing md5 for 3s on 16 size blocks: 6421679 md5's in 3.00s
Doing md5 for 3s on 64 size blocks: 4922378 md5's in 2.98s
Doing md5 for 3s on 256 size blocks: 2935464 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1121294 md5's in 3.00s
Doing md5 for 3s on 8192 size blocks: 164222 md5's in 2.99s

...after about 15 minutes of testing I killed it...


That was all of the testing I could do at this time.  Looks good to me.

CC: (none) => brtians1

Comment 4 Herman Viaene 2019-03-04 11:21:59 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ran all tests from wiki (except multi-core) including test to a server in the LAN.
All output looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 PC LX 2019-03-04 15:13:36 CET 
Marking as OK for x86_64 based on comment 2 and comment 3.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 6 Thomas Andrews 2019-03-04 15:32:28 CET 
All looks good to me. Validating. Suggested advisory in Comment 0.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-03-06 22:16:24 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2019-03-07 17:35:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0106.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED