| Summary: | openssl new security issue CVE-2011-4108 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | arnaud.patard, davidwhodgins, dmorganec, fundawang, mageia, pterjan, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openssl.org/news/secadv_20120104.txt | ||
| Whiteboard: | |||
| Source RPM: | openssl-1.0.0d-2.1.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 3819 | ||
|
Description
David Walser
2012-01-07 04:48:48 CET
In fact it's more CVE: http://www.openssl.org/news/secadv_20120104.txt As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it) URL:
(none) =>
http://www.openssl.org/news/secadv_20120104.txt Adding dmorgan in CC who built the last update. CC:
(none) =>
dmorganec Ping ? For reference, Mandriva has just issued the advisory for this (January 16): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:006 They have patched their packages and they list CVE-2011-410[89], CVE-2011-4576, and CVE-2011-4619 in the advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 This advisory for the MDV 2011 version (which is closer to Mageia 1's) also mentions CVE-2012-0027: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027 Today (January 19) OpenSSL 1.0.0g comes out with this note: "This release fixed a DTLS DoS issue which was recently introduced by the fix for CVE-2011-4109." I'll be happy just submit cauldron package into testing, but i think maybe dmorgan want to give his opinion, as he updated several CVE issues before. i will take a look what is better monday ( maximum ) Mandriva posted this advisory today (January 29): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:011 Saying the previous fix for CVE-2011-4108 mentioned above was incorrect and caused a new issue CVE-2012-0050 which they have now corrected.
Funda Wang
2012-02-08 16:03:57 CET
Blocks:
(none) =>
3819 What's the plan for this package? Do we try to dig out every security patch in OpenSSL since 1.0.0d (what other kind of patch is there in OpenSSL?)? Are all of the patches that have been added to Mandriva's package sufficeint? Do we upgrade it to the latest version? Patched package uploaded. Advisory: ======================== Updated openssl packages fix security vulnerabilities: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack (CVE-2011-4108). Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check (CVE-2011-4109). The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer (CVE-2011-4576). The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors (CVE-2011-4619). The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client (CVE-2012-0027). OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108 (CVE-2012-0050). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://www.openssl.org/news/secadv_20120104.txt http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050 http://www.openssl.org/news/secadv_20120118.txt http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:011 ======================== Updated packages in core/updates_testing: ======================== libopenssl1.0.0-1.0.0d-2.2.mga1 libopenssl-devel-1.0.0d-2.2.mga1 libopenssl-engines1.0.0-1.0.0d-2.2.mga1 libopenssl-static-devel-1.0.0d-2.2.mga1 openssl-1.0.0d-2.2.mga1 from openssl-1.0.0d-2.2.mga1.src.rpm Assignee:
bugsquad =>
qa-bugs Testing complete on i586 for the srpm openssl-1.0.0d-2.2.mga1.src.rpm I haven't found any pocs for the cves, so just testing that it works using commands from http://www.madboa.com/geek/openssl/#intro-version and testing that web browsers work with https etc. CC:
(none) =>
davidwhodgins Tested x86_64 and wiki page created. https://wiki.mageia.org/en/Testing_procedure_for_openssl Update validated Could sysadmin please push from core/updates_testing to core/updates Please see comment 11 for details. Thankyou! Keywords:
(none) =>
validated_update update pushed Status:
NEW =>
RESOLVED |