Debian has issued an advisory on January 1: http://www.debian.org/security/2014/dsa-2833 They've also fixed CVE-2013-6449, which we have a fix in progress for in Bug 12096. This is a less severe issue, so I've filed a separate bug for this so as to not hold up the update for that issue. RedHat has a link to an upstream commit that fixes this: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6450 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Upstream has released 1.0.1f, fixing this, as well as a new issue just announced today, CVE-2013-4353. http://www.openssl.org/news/vulnerabilities.html#2013-6450 Cauldron has the patch for CVE-2013-4353 already, and a freeze push request is pending for the addition of the patch for CVE-2013-6450. Both patches are in Mageia 3 SVN.
Summary: openssl new security issue CVE-2013-6450 => openssl new security issues CVE-2013-6450 and CVE-2013-4353
Debian has issued an advisory for CVE-2013-4353 today (January 7): https://lists.debian.org/debian-security-announce/2014/msg00005.html The DSA will be posted here: http://www.debian.org/security/2014/dsa-2837 from http://lwn.net/Vulnerabilities/579459/
openssl-1.0.1e-8.mga4 uploaded for Cauldron.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Patched package uploaded for Mageia 3. Advisory: ======================== Updated openssl packages fix security vulnerabilities: The DTLS retransmission implementation in OpenSSL through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery (CVE-2013-6450). A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client (CVE-2013-4353). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450 http://www.openssl.org/news/vulnerabilities.html http://www.debian.org/security/2014/dsa-2833 http://www.debian.org/security/2014/dsa-2837 ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1e-1.3.mga3 libopenssl-engines1.0.0-1.0.1e-1.3.mga3 libopenssl1.0.0-1.0.1e-1.3.mga3 libopenssl-devel-1.0.1e-1.3.mga3 libopenssl-static-devel-1.0.1e-1.3.mga3 from openssl-1.0.1e-1.3.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Severity: major => critical
update to openssl-1.0.1e-1.3 from testings. I ran all the tests using the wiki page information. (https://wiki.mageia.org/en/QA_procedure:Openssl) No regression on this new release. ok on x86_64
CC: (none) => ennael1Whiteboard: (none) => mga3-64-ok
Same tests executed on i586. No regression
Whiteboard: mga3-64-ok => mga3-64-ok, mga3-64-ok
Update validated. Thanks. Advisory: Updated openssl packages fix security vulnerabilities: The DTLS retransmission implementation in OpenSSL through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery (CVE-2013-6450). A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client (CVE-2013-4353). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450 http://www.openssl.org/news/vulnerabilities.html http://www.debian.org/security/2014/dsa-2833 http://www.debian.org/security/2014/dsa-2837 SRPM: openssl-1.0.1e-1.3.mga3.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0012.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: mga3-64-ok, mga3-64-ok => advisory mga3-64-ok, mga3-64-ok