Bug 33337

Summary: openssl new security issue CVE-2024-5535
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: openssl-3.0.13-1.1.mga9.src.rpm CVE: CVE-2024-5535
Status comment:

Description Nicolas Salguero 2024-06-27 15:37:00 CEST 
OpenSSL has issued an advisory on June 27:
https://openssl.org/news/secadv/20240627.txt

The fix will be included in the next releases when they
become available. The fix is also available in commit e86ac436f0 (for 3.3),
commit 99fb785a5f (for 3.2), commit 4ada436a19 (for 3.1) and commit cf6f91f612
(for 3.0) in the OpenSSL git repository.

Mageia 9 is also affected.
Nicolas Salguero 2024-06-27 15:37:59 CEST

Status comment: (none) => Patches available from upstream
Source RPM: (none) => openssl-3.1.5-2.mga10.src.rpm, openssl-3.0.13-1.1.mga9.src.rpm
CVE: (none) => CVE-2024-5535
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-06-27 16:44:54 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

SSL_select_next_proto buffer overread. (CVE-2024-5535)

References:
https://openssl.org/news/secadv/20240627.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.14-1.mga9
lib(64)openssl-devel-3.0.14-1.mga9
lib(64)openssl-static-devel-3.0.14-1.mga9
openssl-3.0.14-1.mga9
openssl-perl-3.0.14-1.mga9

from SRPM:
openssl-3.0.14-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Source RPM: openssl-3.1.5-2.mga10.src.rpm, openssl-3.0.13-1.1.mga9.src.rpm => openssl-3.0.13-1.1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Status comment: Patches available from upstream => (none)

katnatek 2024-06-27 21:56:25 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-06-29 12:00:31 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Following the wiki

$ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)

$ openssl version -a
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
built on: Thu Jun 27 14:00:07 2024 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282

$ openssl ciphers -v
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
etc......

$ openssl ciphers -v -tls1
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
etc .......

$ openssl speed rsa
Doing 512 bits private rsa's for 10s: 56227 512 bits private RSA's in 9.98s
Doing 512 bits public rsa's for 10s: 827819 512 bits public RSA's in 10.00s
Doing 1024 bits private rsa's for 10s: 16640 1024 bits private RSA's in 10.00s
Doing 1024 bits public rsa's for 10s: 269845 1024 bits public RSA's in 10.00s
Doing 2048 bits private rsa's for 10s: 2208 2048 bits private RSA's in 10.01s
Doing 2048 bits public rsa's for 10s: 76402 2048 bits public RSA's in 9.99s
Doing 3072 bits private rsa's for 10s: 691 3072 bits private RSA's in 10.00s
etc....

$ openssl s_time -connect mydesktop:443
Collecting connection statistics for 30 seconds

1086 connections in 6.62s; 164.05 connections/user sec, bytes read 0
1086 connections in 31 real seconds, 0 bytes read per connection

Now timing with session id reuse.
starting

1136 connections in 7.49s; 151.67 connections/user sec, bytes read 0
1136 connections in 31 real seconds, 0 bytes read per connection

All looks OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2024-06-29 20:42:18 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2024-07-01 19:55:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0247.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED