Bug 12096 - openssl new security issue CVE-2013-6449
: openssl new security issue CVE-2013-6449
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/578018/
: advisory MGA3-32-OK MGA3-64-OK
: validated_update
:
: 11549
  Show dependency treegraph
 
Reported: 2013-12-23 16:52 CET by David Walser
Modified: 2014-01-06 02:38 CET (History)
4 users (show)

See Also:
Source RPM: openssl-1.0.1e-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-12-23 16:52:11 CET
Fedora has issued an advisory on December 22:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html

Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

A flaw was reported for OpenSSL 1.0.1e, that can cause application using
OpenSSL to crash when using TLS version 1.2 (CVE-2013-6449).

Also, a NULL pointer reference issue has been fixed in SSL_get_certificate
(mga#11549).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449
https://bugs.mageia.org/show_bug.cgi?id=11549
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.2.mga3
libopenssl-engines1.0.0-1.0.1e-1.2.mga3
libopenssl1.0.0-1.0.1e-1.2.mga3
libopenssl-devel-1.0.1e-1.2.mga3
libopenssl-static-devel-1.0.1e-1.2.mga3

from openssl-1.0.1e-1.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 William Kenney 2014-01-03 16:12:30 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
openssl

install openssl

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.mga3.i586 is already installed

Access test install with putty from an M3 system on the LAN successful

install openssl from updates_testing

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.2.mga3.i586 is already installed

Access test install with putty from an M3 system on the LAN successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 2 William Kenney 2014-01-03 16:13:08 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
openssl

install openssl

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.mga3.x86_64 is already installed

Access test install with putty from an M3 system on the LAN successful

install openssl from updates_testing

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.1e-1.2.mga3.x86_64 is already installed

Access test install with putty from an M3 system on the LAN successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 3 Dave Hodgins 2014-01-05 21:07:59 CET
Validating the update.

Someone from the sysadmin team please push 12096.adv to updates.
Comment 4 Thomas Backlund 2014-01-06 02:38:53 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0008.html

Note You need to log in before you can comment on or make changes to this bug.