A CVE was assigned for a use-after-free flaw in OpenSSL: http://openwall.com/lists/oss-security/2014/04/14/6 OpenBSD's patch is here: http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch There was a comment on the oss-security thread about something being a "NOP," but I don't know if that's referring to the vulnerability or the patch or something else. I have the OpenBSD patch in SVN currently, but I'm waiting to make sure it's the correct solution. For further reference, here's RedHat's bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-5298 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Debian has issued an advisory for this on April 17: https://www.debian.org/security/2014/dsa-2908 I'll double check their patch and push an update next week.
URL: (none) => http://lwn.net/Vulnerabilities/595444/
The CVE-2010-5298 patch from OpenBSD is indeed the one Debian used. Debian also added the patch from the commit referenced in this oss-security thread: http://openwall.com/lists/oss-security/2014/04/16/4 That's the critical flag with TSA certificates issue referenced in their advisory. I've added this patch as well. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated openssl packages fix security vulnerability: A read buffer can be freed even when it still contains data that is used later on, leading to a use-after-free. Given a race condition in a multi-threaded application it may permit an attacker to inject data from one connection into another or cause denial of service (CVE-2010-5298). Also fixed in this update is a potential security issue with detection of the "critical" flag for the TSA extended key usage under certain cases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 https://www.debian.org/security/2014/dsa-2908 ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1e-1.7.mga3 libopenssl-engines1.0.0-1.0.1e-1.7.mga3 libopenssl1.0.0-1.0.1e-1.7.mga3 libopenssl-devel-1.0.1e-1.7.mga3 libopenssl-static-devel-1.0.1e-1.7.mga3 openssl-1.0.1e-8.4.mga4 libopenssl-engines1.0.0-1.0.1e-8.4.mga4 libopenssl1.0.0-1.0.1e-8.4.mga4 libopenssl-devel-1.0.1e-8.4.mga4 libopenssl-static-devel-1.0.1e-8.4.mga4 from SRPMS: openssl-1.0.1e-1.7.mga3.src.rpm openssl-1.0.1e-8.4.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Tests done on Mga i586. All is working properly concerning openSSL (access to https pages indeed).
CC: (none) => filorin.mageia
Guillaume did you test on Mga 3 or 4?
CC: (none) => wassi
Oops, forgotten ... Mga4. I add the ok.
Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok
Procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: MGA3TOO mga4-32-ok => MGA3TOO has_procedure mga4-32-ok
Testing all of them now.
Testing complete. Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0187.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED