Bug 32248

Summary: quictls new security issues CVE-2023-2975, CVE-2023-3446 and CVE-2023-3817
Product: Mageia Reporter: Raphael Gertz <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: quictls-3.0.9-1.mga9.src.rpm CVE:
Status comment:

Description Raphael Gertz 2023-09-05 19:20:54 CEST 
Description of problem:

QuicTLS has issued an advisory on July 14:
https://www.openssl.org/news/secadv/20230714.txt

The issue will be fixed upstream in 3.0.10.

Same as:
https://bugs.mageia.org/show_bug.cgi?id=32112

Impacted mga9 & cauldron.

Suggested advisory:
========================
The updated packages fix security vulnerabilities:

AES-SIV implementation ignores empty associated data entries. (CVE-2023-2975)

Excessive time spent checking DH keys and parameters. (CVE-2023-3446)

Excessive time spent checking DH q parameter value. (CVE-2023-3817)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817
https://www.openssl.org/news/secadv/20230714.txt
https://www.openssl.org/news/secadv/20230719.txt
https://www.openssl.org/news/secadv/20230731.txt
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)quictls81.3-3.0.10-1.mga9
lib(64)quictls-devel-3.0.10-1.mga9
lib(64)quictls-static-devel-3.0.10-1.mga9
quictls-3.0.10-1.mga9
quictls-perl-3.0.10-1.mga9

from SRPM:
quictls-3.0.10-1.mga9.src.rpm
Comment 1 Raphael Gertz 2023-09-05 19:21:41 CEST 
The library is required by haproxy-quic subpackage.
Comment 2 Raphael Gertz 2023-09-05 19:29:26 CEST 
$ rpm -q quictls lib64quictls81.3
lib64quictls81.3-3.0.10-1.mga9
quictls-3.0.10-1.mga9

$ quictls  s_client -connect rapsys.eu:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = rapsys.eu
verify return:1
---
[...]
---
Server certificate
[...]
subject=CN = rapsys.eu
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4161 bytes and written 393 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
[...]
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
[...]
---
read R BLOCK
closed
Comment 3 Lewis Smith 2023-09-05 20:32:45 CEST 
Thank you for raising this.

I discover that you are the active (& registered) packager for this, and that you have already put in Cauldron v3.0.10 ! So assigning to you.

Component: RPM Packages => Security
Assignee: bugsquad => mageia
CC: (none) => luigiwalser
QA Contact: (none) => security
Status comment: (none) => will be fixed upstream in 3.0.10

David Walser 2023-09-05 21:00:17 CEST

CC: luigiwalser => (none)

Comment 4 Raphael Gertz 2023-09-06 06:35:26 CEST 
Reassigning to qa to get the update already done validated.

Don't hesitate to comment if I missed something in the procedure.

Assignee: mageia => qa-bugs
Status: NEW => ASSIGNED

Raphael Gertz 2023-09-06 06:36:17 CEST

Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2023-09-06 11:00:11 CEST

Version: Cauldron => 9
Status comment: will be fixed upstream in 3.0.10 => (none)
CC: (none) => nicolas.salguero
Whiteboard: MGA9TOO => (none)

Comment 5 Raphael Gertz 2023-09-22 02:42:52 CEST 
Andrew as you validated https://bugs.mageia.org/show_bug.cgi?id=32112 may you please validatte this bug too ?

CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Thomas Andrews 2023-09-22 14:05:38 CEST 
MGA9-64 Plasma in an HP Pavilion 15. 

Installed the above packages, then updated using qarepo with no issues.

Giving this an OK based on the clean update over the old packages, and using comment 2 as a test of function.

Validating. Advisory in comment 0.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Raphael Gertz 2023-09-25 07:17:12 CEST

CC: (none) => davidwhodgins

Comment 7 Raphael Gertz 2023-09-25 07:18:48 CEST 
Hi David,

May you do the advisory ?

It is a mirror of this bug:
https://bugs.mageia.org/show_bug.cgi?id=32112

Best regards
Marja Van Waes 2023-09-30 15:09:14 CEST

CC: (none) => marja11
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-09-30 21:18:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0273.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED