Upstream has issued an advisory on August 6: https://www.openssl.org/news/secadv_20140806.txt It lists several new issues (CVE-2014-3507 -- CVE-2014-3512, CVE-2014-5139) fixed upstream in 1.0.1i (just uploaded in Cauldron). Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Debian has issued an advisory for this today (August 7): https://www.debian.org/security/2014/dsa-2998
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated openssl packages fix security vulnerabilities: A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected (CVE-2014-3508). The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack (CVE-2014-5139). If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory (CVE-2014-3509). An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack (CVE-2014-3505). An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack (CVE-2014-3506). By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack (CVE-2014-3507). OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages (CVE-2014-3510). A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records (CVE-2014-3511). A malicious client or server can send invalid SRP parameters and overrun an internal buffer. Only applications which are explicitly set up for SRP use are affected (CVE-2014-3512). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139 http://www.openssl.org/news/secadv_20140806.txt https://www.debian.org/security/2014/dsa-2998 ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1e-1.10.mga3 libopenssl-engines1.0.0-1.0.1e-1.10.mga3 libopenssl1.0.0-1.0.1e-1.10.mga3 libopenssl-devel-1.0.1e-1.10.mga3 libopenssl-static-devel-1.0.1e-1.10.mga3 openssl-1.0.1e-8.7.mga4 libopenssl-engines1.0.0-1.0.1e-8.7.mga4 libopenssl1.0.0-1.0.1e-8.7.mga4 libopenssl-devel-1.0.1e-8.7.mga4 libopenssl-static-devel-1.0.1e-8.7.mga4 from SRPMS: openssl-1.0.1e-1.10.mga3.src.rpm openssl-1.0.1e-8.7.mga4.src.rpm
Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/607993/
Procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete on Mageia 4 i586 using the procedure on the Wiki.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
Testing complete on Mageia 3 i586 using the procedure on the Wiki.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK
Testing complete Mageia 3 64bit using the procedure in comment 3.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK
Validating the update, advisory uploaded. Please push openssl to Mageia 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0325.html
Status: NEW => RESOLVEDResolution: (none) => FIXED