Bug 12096 - openssl new security issue CVE-2013-6449
Summary: openssl new security issue CVE-2013-6449
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/578018/
Whiteboard: advisory MGA3-32-OK MGA3-64-OK
Keywords: validated_update
Depends on:
Blocks: 11549
  Show dependency treegraph
 
Reported: 2013-12-23 16:52 CET by David Walser
Modified: 2014-01-06 02:38 CET (History)
4 users (show)

See Also:
Source RPM: openssl-1.0.1e-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-12-23 16:52:11 CET
Fedora has issued an advisory on December 22:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html

Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

A flaw was reported for OpenSSL 1.0.1e, that can cause application using
OpenSSL to crash when using TLS version 1.2 (CVE-2013-6449).

Also, a NULL pointer reference issue has been fixed in SSL_get_certificate
(mga#11549).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449
https://bugs.mageia.org/show_bug.cgi?id=11549
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.2.mga3
libopenssl-engines1.0.0-1.0.1e-1.2.mga3
libopenssl1.0.0-1.0.1e-1.2.mga3
libopenssl-devel-1.0.1e-1.2.mga3
libopenssl-static-devel-1.0.1e-1.2.mga3

from openssl-1.0.1e-1.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-23 16:52:20 CET

Blocks: (none) => 11549

David Walser 2013-12-23 22:22:13 CET

URL: (none) => http://lwn.net/Vulnerabilities/578018/

Dave Hodgins 2014-01-02 17:53:30 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 William Kenney 2014-01-03 16:12:30 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
openssl

install openssl

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.mga3.i586 is already installed

Access test install with putty from an M3 system on the LAN successful

install openssl from updates_testing

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.2.mga3.i586 is already installed

Access test install with putty from an M3 system on the LAN successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int
Whiteboard: advisory => advisory MGA3-32-OK

Comment 2 William Kenney 2014-01-03 16:13:08 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
openssl

install openssl

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.mga3.x86_64 is already installed

Access test install with putty from an M3 system on the LAN successful

install openssl from updates_testing

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.2.mga3.x86_64 is already installed

Access test install with putty from an M3 system on the LAN successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

Whiteboard: advisory MGA3-32-OK => advisory MGA3-32-OK MGA3-64-OK

Comment 3 Dave Hodgins 2014-01-05 21:07:59 CET
Validating the update.

Someone from the sysadmin team please push 12096.adv to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2014-01-06 02:38:53 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0008.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.