Bug 32452

Summary: openssl new security issue CVE-2023-5363
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: openssl-3.0.10-1.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 32484    

Description Nicolas Salguero 2023-10-27 12:35:16 CEST 
OpenSSL has issued an advisory on October 24:
https://www.openssl.org/news/secadv/20231024.txt

The issue is fixed upstream in 3.0.12.
Nicolas Salguero 2023-10-27 12:36:35 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => openssl-3.0.10-1.mga9.src.rpm
CC: (none) => nicolas.salguero

Comment 1 Marja Van Waes 2023-10-29 13:59:49 CET 
No registered maintainer for openssl, so assigning to all

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2023-11-02 15:39:34 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Incorrect cipher key & IV length processing. (CVE-2023-5363)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363
https://www.openssl.org/news/secadv/20231024.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.12-1.mga9
lib(64)openssl-devel-3.0.12-1.mga9
lib(64)openssl-static-devel-3.0.12-1.mga9
openssl-3.0.12-1.mga9
openssl-perl-3.0.12-1.mga9

from SRPM:
openssl-3.0.12-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Marja Van Waes 2023-11-02 23:59:06 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Raphael Gertz 2023-11-03 01:29:27 CET

Blocks: (none) => 32484

Comment 4 Brian Rockwell 2023-11-07 21:44:39 CET 
MGA9-64, Gnome


The following 3 packages are going to be installed:

- lib64openssl-devel-3.0.12-1.mga9.x86_64
- lib64openssl3-3.0.12-1.mga9.x86_64
- openssl-3.0.12-1.mga9.x86_64

7.5KB of additional disk space will be used.



$ echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc

$ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'

hello mageia



----

basic encryption working for me with an iv

CC: (none) => brtians1

Comment 5 Brian Rockwell 2023-11-07 21:48:28 CET 
[brian@localhost ~]$ echo -n 'hello mageia' | openssl dgst -sha256
SHA2-256(stdin)= 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c

[brian@localhost ~]$ echo -n 'hello mageia' | sha256sum
872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c  -


matching
Brian Rockwell 2023-11-07 21:49:56 CET

Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2023-11-08 15:11:53 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2023-11-09 14:57:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0313.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED