Bug 33224

Summary: openssl new security issues CVE-2024-4603 and CVE-2024-4741
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: openssl-3.0.13-1.mga9.src.rpm CVE: CVE-2024-4603, CVE-2024-4741
Status comment:

Description Nicolas Salguero 2024-05-17 08:56:26 CEST 
OpenSSL has issued an advisory on May 16:
https://www.openssl.org/news/secadv/20240516.txt

The fix will be included in the next releases when they
become available. The fix is also available in commit 53ea0648 (for 3.3),
commit da343d06 (for 3.2), commit 9c39b385 (for 3.1) and commit 3559e868
(for 3.0) in the OpenSSL git repository.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-17 08:56:49 CEST

Status comment: (none) => Patches available from upstream
Source RPM: (none) => openssl-3.1.5-1.mga10.src.rpm
CVE: (none) => CVE-2024-4603
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-05-18 21:27:51 CEST 
Nicolas, you normally do openssl, so assigning this to you.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-05-29 15:57:52 CEST 
OpenSSL has issued an advisory on May 28:
https://www.openssl.org/news/secadv/20240528.txt

The fix will be included in the next releases when they
become available. The fix is also available in commit e5093133c3 (for 3.3),
commit c88c3de510 (for 3.2), commit 704f725b96 (for 3.1) and commit b3f0eb0a29
(for 3.0) in the OpenSSL git repository.

Mageia 9 is also affected.

CVE: CVE-2024-4603 => CVE-2024-4603, CVE-2024-4741
Summary: openssl new security issue CVE-2024-4603 => openssl new security issues CVE-2024-4603 and CVE-2024-4741

Comment 3 Nicolas Salguero 2024-05-30 11:24:55 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Excessive time spent checking DSA keys and parameters. (CVE-2024-4603)

Use After Free with SSL_free_buffers. (CVE-2024-4741)

References:
https://www.openssl.org/news/secadv/20240516.txt
https://www.openssl.org/news/secadv/20240528.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.13-1.1.mga9
lib(64)openssl-devel-3.0.13-1.1.mga9
lib(64)openssl-static-devel-3.0.13-1.1.mga9
openssl-3.0.13-1.1.mga9
openssl-perl-3.0.13-1.1.mga9

from SRPM:
openssl-3.0.13-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Source RPM: openssl-3.1.5-1.mga10.src.rpm => openssl-3.0.13-1.mga9.src.rpm
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs
Status comment: Patches available from upstream => (none)
Whiteboard: MGA9TOO => (none)

katnatek 2024-05-30 20:26:38 CEST

Keywords: (none) => advisory

Comment 4 katnatek 2024-05-31 03:07:58 CEST 
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing openssl-3.0.13-1.1.mga9.x86_64.rpm lib64openssl3-3.0.13-1.1.mga9.x86_64.rpm lib64openssl-devel-3.0.13-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64openssl3         ##################################################################################################
      2/3: openssl               ##################################################################################################
      3/3: lib64openssl-devel    ##################################################################################################
      1/3: removing openssl-3.0.13-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64openssl-devel-3.0.13-1.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64openssl3-3.0.13-1.mga9.x86_64
                                 ##################################################################################################


restart sshd and consult status look well

Reference bug#33078 comment#5

echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc
openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'
hello mageia
Comment 5 katnatek 2024-05-31 03:16:05 CEST 
RH mageia 9 i586

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date


installing libopenssl3-3.0.13-1.1.mga9.i586.rpm openssl-3.0.13-1.1.mga9.i586.rpm libopenssl-devel-3.0.13-1.1.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
      1/3: libopenssl3           ################################################################
      2/3: libopenssl-devel      ################################################################
      3/3: openssl               ################################################################
      1/3: removing openssl-3.0.13-1.mga9.i586
                                 ################################################################
      2/3: removing libopenssl-devel-3.0.13-1.mga9.i586
                                 ################################################################
      3/3: removing libopenssl3-3.0.13-1.mga9.i586
                                 ################################################################


restart sshd and consult status look well

Reference bug#33078 comment#5

echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc
[katnatek@cefiro ~]$ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'
hello mageia
Comment 6 Herman Viaene 2024-05-31 11:44:49 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues
Test as above:
$ echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc
$ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'
hello mageia
Usual tests 
$ openssl version -a
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
built on: Thu May 30 08:16:31 2024 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282

$ openssl ciphers -v
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
etc.......
$ openssl speed rsa
Doing 512 bits private rsa's for 10s: 56525 512 bits private RSA's in 9.99s
Doing 512 bits public rsa's for 10s: 827771 512 bits public RSA's in 9.99s
Doing 1024 bits private rsa's for 10s: 16552 1024 bits private RSA's in 9.99s
Doing 1024 bits public rsa's for 10s: 269013 1024 bits public RSA's in 10.00s
Doing 2048 bits private rsa's for 10s: 2203 2048 bits private RSA's in 10.00s
Doing 2048 bits public rsa's for 10s: 75924 2048 bits public RSA's in 10.00s
Doing 3072 bits private rsa's for 10s: 692 3072 bits private RSA's in 9.99s
Doing 3072 bits public rsa's for 10s: 34981 3072 bits public RSA's in 9.99s
Doing 4096 bits private rsa's for 10s: 301 4096 bits private RSA's in 10.00s
Doing 4096 bits public rsa's for 10s: 19988 4096 bits public RSA's in 10.00s
etc...

All works OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 7 Thomas Andrews 2024-05-31 14:03:45 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2024-05-31 17:16:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0200.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED