Bug 5117

Summary: openssl new security issues CVE-2012-0884 and CVE-2012-1165
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: openssl-1.0.0d-2.2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-03-26 20:30:10 CEST 
Mandriva has issued this advisory today (March 26):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:038

Cauldron is not vulnerable (already has 1.0.0h).  Patched package for 1 is up.

Advisory:
========================

Updated openssl packages fix security vulnerabilities:

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack (CVE-2012-0884).

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted S/MIME message, a different vulnerability than CVE-2006-7250
(CVE-2012-1165).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:038
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.0d-2.3.mga1
libopenssl-engines1.0.0-1.0.0d-2.3.mga1
libopenssl1.0.0-1.0.0d-2.3.mga1
libopenssl-devel-1.0.0d-2.3.mga1
libopenssl-static-devel-1.0.0d-2.3.mga1

from openssl-1.0.0d-2.3.mga1.src.rpm
Comment 1 Dave Hodgins 2012-04-04 21:07:08 CEST 
Testing complete on i586 for the srpm
openssl-1.0.0d-2.3.mga1.src.rpm

Testing using apache with https://localhost/,
kolab, and cyprus-imapd.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2012-04-06 05:23:36 CEST 
Ping.  We still need x86-64 bit testing for this security update.
Comment 3 Manuel Hiebel 2012-04-11 02:04:40 CEST 
Using the update of openssl for some weeks without any issue (apache, ssh, etc).


Suggested Advisory:
-------------
Updated openssl packages fix security vulnerabilities:

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack (CVE-2012-0884).

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted S/MIME message, a different vulnerability than CVE-2006-7250
(CVE-2012-1165).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:038

https://bugs.mageia.org/show_bug.cgi?id=5117
-------------

SRPM: openssl-1.0.0d-2.3.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2012-04-11 21:41:33 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 5 Manuel Hiebel 2012-04-12 00:24:43 CEST 
seen on mageia-discuss

le fichier /usr/include/openssl/cms.h de l'installation de
lib64openssl-devel-1.0.0d-2.3.mga1.x86_64 entre en conflit avec le
fichier du paquetage libopenssl-devel-1.0.0d-2.2.mga1.i586

le fichier /usr/include/openssl/cms.h de l'installation de
libopenssl-devel-1.0.0d-2.3.mga1.i586 entre en conflit avec le fichier
du paquetage lib64openssl-devel-1.0.0d-2.2.mga1.x86_64

what's happen ?
Comment 6 Manuel Hiebel 2012-04-12 00:26:41 CEST 
read to fast, user side issue, mix of x86_64 and i586 sorry.