Bug 3977

Summary: openssl missing security update for CVE-2011-1945, CVE-2011-3207, and CVE-2011-3210
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: arnaud.patard, dmorganec, fundawang, mageia, pterjan, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: openssl CVE:
Status comment:

Description David Walser 2012-01-01 02:53:59 CET 
Mandriva issued this advisory on September 28:
http://lists.mandriva.com/security-announce/2011-09/msg00022.php

This can be fixed by using MDV's patches or upgrading to 1.0.0e.
Comment 1 Manuel Hiebel 2012-01-01 12:35:07 CET 
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => arnaud.patard, fundawang, mageia, pterjan
Source RPM: openssl-1.0.0d-2.mga1.src.rpm => openssl
Severity: normal => major

Comment 2 D Morgan 2012-01-01 13:47:55 CET 
just pushed with patches in update_testing

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2012-01-01 18:13:58 CET 
Tested successfully on i586 by testing openssh and apache-mod_ssl.
Comment 4 claire robinson 2012-01-03 12:20:17 CET 
x86_64

The following 5 packages are going to be installed:

- lib64openssl-devel-1.0.0d-2.1.mga1.x86_64
- lib64openssl-engines1.0.0-1.0.0d-2.1.mga1.x86_64
- lib64openssl-static-devel-1.0.0d-2.1.mga1.x86_64
- lib64openssl1.0.0-1.0.0d-2.1.mga1.x86_64
- openssl-1.0.0d-2.1.mga1.x86_64

Accessed zoneminder & phpmyadmin via https

Testing complete x86_64

SRPM: openssl-1.0.0d-2.1.mga1.src.rpm

Advisory
-----------------
openssl security update for CVE-2011-1945, CVE-2011-3207, and CVE-2011-3210
-----------------

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2012-01-04 14:24:13 CET 
Update pushed.

BTW, there was _way_ to little info in advisory for CVE fixes.

I added the following:

* The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
  earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
  is used for the ECDHE_ECDSA cipher suite, does not properly implement
  curves over binary fields, which makes it easier for context-dependent
  attackers to determine private keys via a timing attack and a lattice
  calculation.
  (CVE-2011-1945)

* crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize
  certain structure members, which makes it easier for remote attackers to
  bypass CRL validation by using a nextUpdate value corresponding to a time
  in the past. 
  (CVE-2011-3207)

* The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
  0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during 
  processing of handshake messages, which allows remote attackers to cause
  a denial of service (application crash) via out-of-order messages that
  violate the TLS protocol. 
  (CVE-2011-3210)

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 6 claire robinson 2012-01-04 14:27:08 CET 
Thankyou, I didn't have anything to work from.