Bug 13309 - openssl new security issue CVE-2014-0198
Summary: openssl new security issue CVE-2014-0198
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597337/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-02 21:38 CEST by David Walser
Modified: 2014-05-05 18:51 CEST (History)
2 users (show)

See Also:
Source RPM: openssl-1.0.1e-8.4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-02 21:38:07 CEST
A CVE has been issued for a potential DoS issue in openssl today (May 2):
http://openwall.com/lists/oss-security/2014/05/02/6

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

A null pointer dereference bug in OpenSSL 1.0.1g and earlier in
so_ssl3_write() could possibly allow an attacker to cause generate an SSL
alert which would cause OpenSSL to crash, resulting in a denial of service
(CVE-2014-0198).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
http://openwall.com/lists/oss-security/2014/05/02/6
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.8.mga3
libopenssl-engines1.0.0-1.0.1e-1.8.mga3
libopenssl1.0.0-1.0.1e-1.8.mga3
libopenssl-devel-1.0.1e-1.8.mga3
libopenssl-static-devel-1.0.1e-1.8.mga3
openssl-1.0.1e-8.5.mga4
libopenssl-engines1.0.0-1.0.1e-8.5.mga4
libopenssl1.0.0-1.0.1e-8.5.mga4
libopenssl-devel-1.0.1e-8.5.mga4
libopenssl-static-devel-1.0.1e-8.5.mga4

from SRPMS:
openssl-1.0.1e-1.8.mga3.src.rpm
openssl-1.0.1e-8.5.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-02 21:38:18 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-05-02 21:38:51 CEST
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Openssl

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-05-03 14:55:43 CEST
Testing complete mga3 32 & 64 and mga4 32 & 64

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 3 Thomas Backlund 2014-05-03 18:39:04 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0204.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-05-05 18:51:42 CEST

URL: (none) => http://lwn.net/Vulnerabilities/597337/


Note You need to log in before you can comment on or make changes to this bug.