| Summary: | quictls new security issue CVE-2023-5363 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Raphael Gertz <mageia> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, mageia, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | quictls-3.0.10-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 32452 | ||
| Bug Blocks: | |||
|
Description
Raphael Gertz
2023-11-03 00:46:53 CET
Suggested advisory: ======================== The updated packages fix a security vulnerability: Incorrect cipher key & IV length processing. (CVE-2023-5363) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363 https://www.openssl.org/news/secadv/20231024.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)quictls81.3-3.0.12-1.mga9 lib(64)quictls-devel-3.0.12-1.mga9 lib(64)quictls-static-devel-3.0.12-1.mga9 quictls-3.0.12-1.mga9 quictls-perl-3.0.12-1.mga9 from SRPM: quictls-3.0.12-1.mga9.src.rpm Keywords:
(none) =>
advisory
Raphael Gertz
2023-11-03 01:23:17 CET
Status:
NEW =>
ASSIGNED
Raphael Gertz
2023-11-03 01:23:36 CET
CC:
(none) =>
nicolas.salguero
Raphael Gertz
2023-11-03 01:29:27 CET
Depends on:
(none) =>
32452 Assigning to QA, because quictls-3.0.12-1.mga9 landed in 9 core/updates_testing early this morning. @ Raphael Thanks for all your work! Do you mind propediting : r15207 | rapsys | 2023-11-03 01:22:50 +0100 (vr, 03 nov 2023) | 1 line Add security advisory M9 openssl mga#32484 It only needs "openssl" to be changed into "quictls". (BTW, sorry for accidentally having overwritten your 32089.adv when I added another advisory last night. I have re-added 32089.adv with the correct message this morning) CC:
(none) =>
mageia (In reply to Marja Van Waes from comment #3) > @ Raphael > > Do you mind propediting : > > r15207 | rapsys | 2023-11-03 01:22:50 +0100 (vr, 03 nov 2023) | 1 line > > Add security advisory M9 openssl mga#32484 > > It only needs "openssl" to be changed into "quictls". > > (BTW, sorry for accidentally having overwritten your 32089.adv when I added > another advisory last night. I have re-added 32089.adv with the correct > message this morning) I re-added the file with the proper commit message.
Raphael Gertz
2023-11-10 01:49:27 CET
CC:
(none) =>
brtians1
Raphael Gertz
2023-11-10 01:49:37 CET
CC:
(none) =>
andrewsfarm May you validate this update as well please ? $ cat /etc/mageia-release Mageia release 9 (Official) for x86_64 $ rpm -qa | grep quictls lib64quictls81.3-3.0.12-1.mga9 lib64quictls-devel-3.0.12-1.mga9 quictls-3.0.12-1.mga9 $ echo -n 'hello mageia' | quictls aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc $ quictls aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia $ echo -n 'hello mageia' | quictls dgst -sha256 SHA2-256(stdin)= 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c $ echo -n 'hello mageia' | sha256sum 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c - Following procedure from previous update bug 32248: MGA9-64 Plasma in an HP Pavilion 15. Installed the above packages, then updated using qarepo with no issues. Giving this an OK based on the clean update over the old packages, and using comment 6 and comment 7 as a test of function. Validating. Whiteboard:
(none) =>
MGA9-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0317.html Status:
ASSIGNED =>
RESOLVED |