Bug 30174

Ubuntu has issued an advisory for this today (March 15):
https://ubuntu.com/security/notices/USN-5328-1

(In reply to David Walser from comment #0)


> As noted in Bug 29768, there is a lingering openssl-1.1.1l-1.mga9.src.rpm in
> the Cauldron repo that needs to be removed.

IIRC it got reinstated to unbreak buildsystem while some  bits were not yet properly rebuilt against openssl 3... I'll try to remember to nuke it after the distro rebuild is done

the srpm protects the libs from being removed by autocleaner scripts.
there is no -devel libs for 1.1.1 so nothing can be rebuilt against it

'openssl' is committed by various people, so having to assign this update globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates. (CVE-2022-0778)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://www.openssl.org/news/secadv/20220315.txt
https://ubuntu.com/security/notices/USN-5328-1
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl1.1-1.1.1n-1.mga8
lib(64)openssl-devel-1.1.1n-1.mga8
lib(64)openssl-static-devel-1.1.1n-1.mga8
openssl-1.1.1n-1.mga8
openssl-perl-1.1.1n-1.mga8

from SRPM:
openssl-1.1.1n-1.mga8.src.rpm

Source RPM: openssl-3.0.0-2.mga9.src.rpm, openssl-1.1.1m-1.mga8.src.rpm => openssl-1.1.1m-1.mga8.src.rpm
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-0778
Version: Cauldron => 8
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.1.1n and 3.0.2 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)

installed openssl

$ openssl version
OpenSSL 1.1.1n  15 Mar 2022


$ openssl enc -aes-256-cbc -in firefox78_12.txt -out fire.enc

$ cat firefox78_12.txt
The following 11 packages are going to be installed:

blah blah blah

$ cat fire.enc
Salted__�N�Au�y���&���V����[��-6�'�n���ǎ!%`ѿ��2k��ʰ��������oR��g!m�%�3oqo|kOCvl�%3d�.<�Ǘ_�U�4K�U� ��:Rۦr�l�c�W�v��B�&�H�b_͜6�P�$�N}�i�XG֯W𴡚(vճ�&vȅ�}RФg{�"EWެ�aZ!ò��Aa��>,Ź�z0�,��^��*��ɷ%���2ݑ�9�Yo=T|��QtD��ݍ$s�&Ũj
����,�.�xF\@B�*^=�P�_2�h�w*�;��
���?��_�O�q��Ƨ}˾�����s��!��jId4�a��`�n"����'�������ZݛA.AW�Z΋[


$ openssl enc -d -aes-256-cbc -in fire.enc -out fire.txt

 cat fire.txt
The following 11 packages are going to be installed:

blah blah blah

sizes match

live 439 Jul 14  2021 firefox78_12.txt
live 439 Mar 16 10:51 fire.txt

hashes match

$ openssl dgst -md5 firefox78_12.txt
MD5(firefox78_12.txt)= 33e849ed30b6664813656a4e05264f58
$ openssl dgst -md5 fire.txt
MD5(fire.txt)= 33e849ed30b6664813656a4e05264f58


working from my perspective

CC: (none) => brtians1

Installed and tested without issues.

This update has been in use on this workstation for several days without issues.
Also did some explicit testing by creating keys and certificates.
Will mark this update as OK for x86_64 to move this along.
Please undo if appropriate.


System: Mageia 8, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.15.28-desktop-1.mga8 #1 SMP Fri Mar 11 15:54:53 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep openssl
lib64openssl-devel-1.1.1n-1.mga8
libopenssl1.1-1.1.1m-1.mga8
lib64openssl1.1-1.1.1n-1.mga8
openssl-1.1.1n-1.mga8
php-openssl-8.0.17-1.mga8

Whiteboard: (none) => MGA8-64-OK
CC: (none) => mageia

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0113.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED