| Summary: | openssl new security issues CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | openssl-1.1.1n-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-05-03 17:36:12 CEST
David Walser
2022-05-03 17:36:26 CEST
Status comment:
(none) =>
Fixed upstream in 1.1.1o and 3.0.3 No evident maintainer, so assigning globally. CC'ing NicolasS who did a similar update not so long ago. CC:
(none) =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix a security vulnerability: The c_rehash script allows command injection. (CVE-2022-1292) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292 https://www.openssl.org/news/secadv/20220503.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl1.1-1.1.1o-1.mga8 lib(64)openssl-devel-1.1.1o-1.mga8 lib(64)openssl-static-devel-1.1.1o-1.mga8 openssl-1.1.1o-1.mga8 openssl-perl-1.1.1o-1.mga8 from SRPM: openssl-1.1.1o-1.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) Ubuntu has issued an advisory for this on May 4: https://ubuntu.com/security/notices/USN-5402-1 installed openssl
$ openssl version
OpenSSL 1.1.1o 3 May 2022
$ openssl enc -aes-128-cbc -in firefox78_12.txt -out fire.enc
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
$ ll fire.enc
-rw-r--r-- 1 brian live 464 May 5 20:43 fire.enc
$ cat fire.enc
Salted__�,+=W�$�jV���<9��{��
\���cqϖ��FY�
vCJ�R���҂� Dy�
~u�[$f[�~
��"�Y��0|�f#+����FQ-�i�7�����������M1%f�i꼏e.���y@��+�2�����1N�Jp[��� �1:
�E�
�7؟��kj��PA�;3�3�t�����#�
����.�Z�G���[���������Z
�A�l�g���l��n���W���z}�O��J��F~�N}��c�N����w���u6��w!���t�
�ư���=�li��i�*���8W�"j������O�A&�d�vi���~��������g)Q��Z9�d>+
=�9��^;��meu�������&H���Z "����
n�^����N�삭�
$ openssl enc -d -aes-128-cbc -in fire.enc -out fire.txt
enter aes-128-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
file sizes match
$ ll fire.*
-rw-r--r-- 1 brian live 464 May 5 20:43 fire.enc
-rw-r--r-- 1 brian live 439 May 5 20:44 fire.txt
$ ll firefox78_12.txt
-rw-r--r-- 1 brian live 439 Jul 14 2021 firefox78_12.txt
source and restored file md5's match
$ openssl dgst -md5 firefox78_12.txt
MD5(firefox78_12.txt)= 33e849ed30b6664813656a4e05264f58
$ openssl dgst -md5 fire.txt
MD5(fire.txt)= 33e849ed30b6664813656a4e05264f58
working from my perspectiveCC:
(none) =>
brtians1 $ openssl genpkey -out fd.key -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -aes-128-cbc
$ openssl req -new -key fd.key -out fd.csr
$ openssl req -text -in fd.csr -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = Illinois, L = xxx, O = xxx, CN = localhost
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ec:6c:32:28:0a:5d:8e:ea:59:e9:51:d4:e9:32:
3c:23:29:86:2e:10:65:cc:a6:07:9f:5b:14:5a:25:
82:9e:16:88:5b:27:25:2c:e8:ba:4f:9d:92:1f:60:
31:31:75:68:e3:18:cf:e5:5a:6f:8f:ea:cd:3a:16:
2b:c4:f1:4b:ef
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:da:bd:56:03:00:ef:a6:5b:38:ed:d0:17:3e:
04:5c:f9:40:38:7a:08:2b:bc:37:a9:24:86:91:7f:70:37:55:
56:02:20:35:09:fd:66:cc:b4:30:ca:71:12:3c:56:ef:84:23:
5c:73:b7:13:0f:ed:77:4b:2d:ac:ca:9e:ea:4d:37:af:66
creating certs work
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Following WIKI: $ openssl version OpenSSL 1.1.1o 3 May 2022 $ openssl version -a OpenSSL 1.1.1o 3 May 2022 built on: Wed May 4 19:59:53 2022 UTC platform: linux-x86_64 options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-1.1" Seeding source: os-specific engines: rdrand dynamic $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 and more...... $ openssl ciphers -v -tls1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD and more..... $ openssl ciphers -v 'HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD and more.... $ openssl ciphers -v 'AES+HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD and more..... other tests from WIKI behave OK. OK'ing in view of other tests by Brian. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs Are the fixes for CVE-2022-1343, CVE-2022-1434, and CVE-2022-1473 included? Keywords:
(none) =>
feedback Nevermind. Missed that in the description, only the one cve applies to m8. Keywords:
feedback =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0173.html Resolution:
(none) =>
FIXED |