Bug 33078

Summary: openssl new security issue CVE-2024-2511
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, herman.viaene, mageia, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: openssl-3.0.12-1.1.mga9.src.rpm CVE: CVE-2024-2511
Status comment:

Description Nicolas Salguero 2024-04-09 16:51:27 CEST 
OpenSSL has issued an advisory on April 8:
https://openssl.org/news/secadv/20240408.txt

The fix will be included in the next releases when they become available (3.1.6 and 3.0.14) and in commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git repository.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-09 16:51:59 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-2511
Source RPM: (none) => openssl-3.1.4-3.mga10.src.rpm
Status comment: (none) => Patches available from upstream

Comment 1 Lewis Smith 2024-04-09 22:10:13 CEST 
"The fix will be included in the next releases when they
become available. The fix is also available in
 commit e9d7083e (for 3.2),
 commit 7e4d731b (for 3.1) 
 commit b52867a9 (for 3.0)
in the OpenSSL git repository" (wherever that is).

Leaving this with NicolasS  who mostly maintains openSSL. Please re-assign to pkg-bugs if this does not suit you.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-04-10 12:30:33 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unbounded memory growth with session handling in TLSv1.3. (CVE-2024-2511)

References:
https://openssl.org/news/secadv/20240408.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.13-1.mga9
lib(64)openssl-devel-3.0.13-1.mga9
lib(64)openssl-static-devel-3.0.13-1.mga9
openssl-3.0.13-1.mga9
openssl-perl-3.0.13-1.mga9

from SRPM:
openssl-3.0.13-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Source RPM: openssl-3.1.4-3.mga10.src.rpm => openssl-3.0.12-1.1.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugs
Status comment: Patches available from upstream => (none)

PC LX 2024-04-10 12:56:22 CEST

CC: (none) => mageia

katnatek 2024-04-10 20:16:46 CEST

Keywords: (none) => advisory

Comment 3 PC LX 2024-04-11 11:19:49 CEST 
Installed and tested without issues.

Tested using:
- apache plus apache-mod_ssl as HTTP server;
- firefox, chromium, curl, wget as HTTP clients;
- sslscan and https://www.ssllabs.com/ssltest/ as clients;
- dovecot IMAP server;
- trojita, kmail, roundcubemail as IMAP client;
- sshd as server;
- ssh as client;
- openssl CLI to create keys and certificates;
- openssl CLI to inspect existing keys and certificates;
- openssl speed.
- certbot.

Tested for one day. No issues noticed.



System server: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.
System client: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics.



#### Server side ####
$ uname -a
Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep openssl.*3.0.13
lib64openssl3-3.0.13-1.mga9
lib64openssl-devel-3.0.13-1.mga9
openssl-3.0.13-1.mga9


#### Client side ####
$ uname -a
Linux jupiter 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep openssl.*3.0.13
lib64openssl3-3.0.13-1.mga9
openssl-3.0.13-1.mga9
lib64openssl-devel-3.0.13-1.mga9
libopenssl3-3.0.13-1.mga9
Comment 4 Brian Rockwell 2024-04-12 17:54:18 CEST 
MGA9-64, Gnome


The following 3 packages are going to be installed:

- lib64openssl-devel-3.0.13-1.mga9.x86_64
- lib64openssl3-3.0.13-1.mga9.x86_64
- openssl-3.0.13-1.mga9.x86_64



$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

$ echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc

$ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'
hello mageia



----

basic encryption working for me with an iv

CC: (none) => brtians1

Comment 5 Brian Rockwell 2024-04-12 17:55:04 CEST 
MGA9-64, Gnome


The following 3 packages are going to be installed:

- lib64openssl-devel-3.0.13-1.mga9.x86_64
- lib64openssl3-3.0.13-1.mga9.x86_64
- openssl-3.0.13-1.mga9.x86_64



$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

$ echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc

$ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'
hello mageia



----

basic encryption working for me with an iv
Comment 6 Herman Viaene 2024-04-13 12:08:40 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Picked cipher list and speed test  from the wiki after other tests have already been done above.
All works OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2024-04-13 16:56:49 CEST 
Lots of tests. Good!

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-04-13 18:57:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0129.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED