Bug 13148 - openssl new security issues CVE-2014-0076 and CVE-2014-0160
Summary: openssl new security issues CVE-2014-0076 and CVE-2014-0160
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/593110/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-04 18:00 CEST by David Walser
Modified: 2014-04-08 19:00 CEST (History)
4 users (show)

See Also:
Source RPM: openssl-1.0.1e-1.5.mga3.src.rpm, openssl-1.0.1e-8.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-04 18:00:02 CEST
OpenSuSE has issued an advisory today (April 4):
http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure
that certain swap operations have a constant-time behavior, which makes it
easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache
side-channel attack (CVE-2014-0076).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.4.mga3
libopenssl-engines1.0.0-1.0.1e-1.4.mga3
libopenssl1.0.0-1.0.1e-1.4.mga3
libopenssl-devel-1.0.1e-1.4.mga3
libopenssl-static-devel-1.0.1e-1.4.mga3
openssl-1.0.1e-8.1.mga4
libopenssl-engines1.0.0-1.0.1e-8.1.mga4
libopenssl1.0.0-1.0.1e-8.1.mga4
libopenssl-devel-1.0.1e-8.1.mga4
libopenssl-static-devel-1.0.1e-8.1.mga4

from SRPMS:
openssl-1.0.1e-1.4.mga3.src.rpm
openssl-1.0.1e-8.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-04-04 18:00:24 CEST
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Openssl

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 David Walser 2014-04-07 22:35:40 CEST
Version 1.0.1f has been released today (April 7) fixing another security issue:
http://openwall.com/lists/oss-security/2014/04/07/3

Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated openssl packages fix security vulnerability:

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure
that certain swap operations have a constant-time behavior, which makes it
easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache
side-channel attack (CVE-2014-0076).

A missing bounds check in the handling of the TLS heartbeat extension in
OpenSSL through 1.0.1f can be used to reveal up to 64k of memory to a
connected client or server (CVE-2014-0160).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://www.openssl.org/news/secadv_20140407.txt
http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.5.mga3
libopenssl-engines1.0.0-1.0.1e-1.5.mga3
libopenssl1.0.0-1.0.1e-1.5.mga3
libopenssl-devel-1.0.1e-1.5.mga3
libopenssl-static-devel-1.0.1e-1.5.mga3
openssl-1.0.1e-8.2.mga4
libopenssl-engines1.0.0-1.0.1e-8.2.mga4
libopenssl1.0.0-1.0.1e-8.2.mga4
libopenssl-devel-1.0.1e-8.2.mga4
libopenssl-static-devel-1.0.1e-8.2.mga4

from SRPMS:
openssl-1.0.1e-1.5.mga3.src.rpm
openssl-1.0.1e-8.2.mga4.src.rpm
Oden Eriksson 2014-04-08 07:36:54 CEST

CC: (none) => oe
Summary: openssl new security issue CVE-2014-0076 => openssl new security issue CVE-2014-0076, CVE-2014-0160

claire robinson 2014-04-08 08:12:50 CEST

Source RPM: openssl-1.0.1e-1.3.mga3.src.rpm => openssl-1.0.1e-1.5.mga3.src.rpm, openssl-1.0.1e-8.2.mga4.src.rpm

Comment 3 claire robinson 2014-04-08 08:53:48 CEST
Testing complete mga4 32 & 64 using the procedure
https://wiki.mageia.org/en/QA_procedure:Openssl

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 4 claire robinson 2014-04-08 08:54:13 CEST
Advisory uploaded

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-04-08 09:28:23 CEST
Testing complete mga3 32 & 64

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Colin Guthrie 2014-04-08 09:47:58 CEST
OK, I'll attempt to do this now... need to learn!

CC: (none) => mageia

Comment 7 Colin Guthrie 2014-04-08 10:06:37 CEST
OK, updates pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 claire robinson 2014-04-08 10:08:49 CEST
Thanks Colin. Thomas usually gives a link to the advisory too when he closes the bug.

http://advisories.mageia.org/MGASA-2014-0165.html
Comment 9 Colin Guthrie 2014-04-08 10:16:50 CEST
Ooops, thanks Claire, I missed that bit in the instructions (and another bit that I'm just completing now - next one will be smoother :))
Comment 10 Samuel Verschelde 2014-04-08 13:59:47 CEST
(In reply to David Walser from comment #2)
> Version 1.0.1f has been released today (April 7) fixing another security
> issue:
> http://openwall.com/lists/oss-security/2014/04/07/3
> 

According to that link it's 1.0.1g. I don't know if that makes the advisory wrong though.

CC: (none) => stormi

Comment 11 David Walser 2014-04-08 14:23:19 CEST
(In reply to Samuel VERSCHELDE from comment #10)
> (In reply to David Walser from comment #2)
> > Version 1.0.1f has been released today (April 7) fixing another security
> > issue:
> > http://openwall.com/lists/oss-security/2014/04/07/3
> > 
> 
> According to that link it's 1.0.1g. I don't know if that makes the advisory
> wrong though.

Thanks for catching that.  The advisory was actually correct, luckily :o)
Comment 12 David Walser 2014-04-08 19:00:24 CEST
LWN reference for CVE-2014-0160:
http://lwn.net/Vulnerabilities/593861/

Summary: openssl new security issue CVE-2014-0076, CVE-2014-0160 => openssl new security issues CVE-2014-0076 and CVE-2014-0160


Note You need to log in before you can comment on or make changes to this bug.