Bug 13874 - openssl new security issues fixed upstream in 1.0.1i
Summary: openssl new security issues fixed upstream in 1.0.1i
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/607993/
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-08-07 14:27 CEST by David Walser
Modified: 2014-08-12 11:17 CEST (History)
2 users (show)

See Also:
Source RPM: openssl-1.0.1e-8.6.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-08-07 14:27:29 CEST
Upstream has issued an advisory on August 6:
https://www.openssl.org/news/secadv_20140806.txt

It lists several new issues (CVE-2014-3507 -- CVE-2014-3512, CVE-2014-5139) fixed upstream in 1.0.1i (just uploaded in Cauldron).

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-07 14:27:36 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-08-07 14:50:36 CEST
Debian has issued an advisory for this today (August 7):
https://www.debian.org/security/2014/dsa-2998
Comment 2 David Walser 2014-08-07 15:14:49 CEST
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated openssl packages fix security vulnerabilities:

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. Applications may be affected if they echo pretty printing output
to the attacker. OpenSSL SSL/TLS clients and servers themselves are not
affected (CVE-2014-3508).

The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This
can be exploited through a Denial of Service attack (CVE-2014-5139).

If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write up
to 255 bytes to freed memory (CVE-2014-3509).

An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This can be
exploited through a Denial of Service attack (CVE-2014-3505).

An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a Denial
of Service attack (CVE-2014-3506).

By sending carefully crafted DTLS packets an attacker could cause openssl to
leak memory. This can be exploited through a Denial of Service attack
(CVE-2014-3507).

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
denial of service attack. A malicious server can crash the client with a
null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages
(CVE-2014-3510).

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message is
badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a higher
protocol version, by modifying the client's TLS records (CVE-2014-3511).

A malicious client or server can send invalid SRP parameters and overrun
an internal buffer. Only applications which are explicitly set up for SRP
use are affected (CVE-2014-3512).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139
http://www.openssl.org/news/secadv_20140806.txt
https://www.debian.org/security/2014/dsa-2998
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.1e-1.10.mga3
libopenssl-engines1.0.0-1.0.1e-1.10.mga3
libopenssl1.0.0-1.0.1e-1.10.mga3
libopenssl-devel-1.0.1e-1.10.mga3
libopenssl-static-devel-1.0.1e-1.10.mga3
openssl-1.0.1e-8.7.mga4
libopenssl-engines1.0.0-1.0.1e-8.7.mga4
libopenssl1.0.0-1.0.1e-8.7.mga4
libopenssl-devel-1.0.1e-8.7.mga4
libopenssl-static-devel-1.0.1e-8.7.mga4

from SRPMS:
openssl-1.0.1e-1.10.mga3.src.rpm
openssl-1.0.1e-8.7.mga4.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2014-08-07 17:17:11 CEST

URL: (none) => http://lwn.net/Vulnerabilities/607993/

Comment 3 Rémi Verschelde 2014-08-07 22:27:28 CEST
Procedure: https://wiki.mageia.org/en/QA_procedure:Openssl

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 David Walser 2014-08-10 02:10:04 CEST
Testing complete on Mageia 4 i586 using the procedure on the Wiki.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 5 David Walser 2014-08-11 16:17:02 CEST
Testing complete on Mageia 3 i586 using the procedure on the Wiki.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK

Comment 6 Rémi Verschelde 2014-08-11 19:29:39 CEST
Testing complete Mageia 3 64bit using the procedure in comment 3.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 7 Rémi Verschelde 2014-08-11 19:30:13 CEST
Validating the update, advisory uploaded.

Please push openssl to Mageia 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2014-08-12 11:17:27 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0325.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.