OpenSuSE has issued an advisory today (April 4): http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated openssl packages fix security vulnerability: The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack (CVE-2014-0076). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1e-1.4.mga3 libopenssl-engines1.0.0-1.0.1e-1.4.mga3 libopenssl1.0.0-1.0.1e-1.4.mga3 libopenssl-devel-1.0.1e-1.4.mga3 libopenssl-static-devel-1.0.1e-1.4.mga3 openssl-1.0.1e-8.1.mga4 libopenssl-engines1.0.0-1.0.1e-8.1.mga4 libopenssl1.0.0-1.0.1e-8.1.mga4 libopenssl-devel-1.0.1e-8.1.mga4 libopenssl-static-devel-1.0.1e-8.1.mga4 from SRPMS: openssl-1.0.1e-1.4.mga3.src.rpm openssl-1.0.1e-8.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: (none) => MGA3TOO has_procedure
Version 1.0.1f has been released today (April 7) fixing another security issue: http://openwall.com/lists/oss-security/2014/04/07/3 Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated openssl packages fix security vulnerability: The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack (CVE-2014-0076). A missing bounds check in the handling of the TLS heartbeat extension in OpenSSL through 1.0.1f can be used to reveal up to 64k of memory to a connected client or server (CVE-2014-0160). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://www.openssl.org/news/secadv_20140407.txt http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1e-1.5.mga3 libopenssl-engines1.0.0-1.0.1e-1.5.mga3 libopenssl1.0.0-1.0.1e-1.5.mga3 libopenssl-devel-1.0.1e-1.5.mga3 libopenssl-static-devel-1.0.1e-1.5.mga3 openssl-1.0.1e-8.2.mga4 libopenssl-engines1.0.0-1.0.1e-8.2.mga4 libopenssl1.0.0-1.0.1e-8.2.mga4 libopenssl-devel-1.0.1e-8.2.mga4 libopenssl-static-devel-1.0.1e-8.2.mga4 from SRPMS: openssl-1.0.1e-1.5.mga3.src.rpm openssl-1.0.1e-8.2.mga4.src.rpm
CC: (none) => oeSummary: openssl new security issue CVE-2014-0076 => openssl new security issue CVE-2014-0076, CVE-2014-0160
Source RPM: openssl-1.0.1e-1.3.mga3.src.rpm => openssl-1.0.1e-1.5.mga3.src.rpm, openssl-1.0.1e-8.2.mga4.src.rpm
Testing complete mga4 32 & 64 using the procedure https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Advisory uploaded
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64 Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
OK, I'll attempt to do this now... need to learn!
CC: (none) => mageia
OK, updates pushed.
Status: NEW => RESOLVEDResolution: (none) => FIXED
Thanks Colin. Thomas usually gives a link to the advisory too when he closes the bug. http://advisories.mageia.org/MGASA-2014-0165.html
Ooops, thanks Claire, I missed that bit in the instructions (and another bit that I'm just completing now - next one will be smoother :))
(In reply to David Walser from comment #2) > Version 1.0.1f has been released today (April 7) fixing another security > issue: > http://openwall.com/lists/oss-security/2014/04/07/3 > According to that link it's 1.0.1g. I don't know if that makes the advisory wrong though.
CC: (none) => stormi
(In reply to Samuel VERSCHELDE from comment #10) > (In reply to David Walser from comment #2) > > Version 1.0.1f has been released today (April 7) fixing another security > > issue: > > http://openwall.com/lists/oss-security/2014/04/07/3 > > > > According to that link it's 1.0.1g. I don't know if that makes the advisory > wrong though. Thanks for catching that. The advisory was actually correct, luckily :o)
LWN reference for CVE-2014-0160: http://lwn.net/Vulnerabilities/593861/
Summary: openssl new security issue CVE-2014-0076, CVE-2014-0160 => openssl new security issues CVE-2014-0076 and CVE-2014-0160