Upstream has issued an advisory today (October 15): https://www.openssl.org/news/secadv_20141015.txt The issues are fixed upstream in 1.0.1j (already uploaded for Cauldron). Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
I'm currently waiting to see what changes Fedora makes to their openssl packages for this. I'm also interested to see if they disable SSLv3 by default in their httpd ssl configuration.
RedHat has issued an advisory for this today (October 16): https://rhn.redhat.com/errata/RHSA-2014-1652.html Just some administrative notes, CVE-2014-3566 (POODLE) is not fixable, it is only mitigated by the TLS_FALLBACK_SCSV addition, which prevents attackers from being able to force a connection to use SSLv3. Also, CVE-2014-3568 doesn't need to be listed in the advisory because it is a build-time issue affecting a build option we aren't using anyway.
URL: (none) => http://lwn.net/Vulnerabilities/616446/
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated openssl packages fix security vulnerabilities: This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0. The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication. For additional information about this flaw, see the RedHat Knowledgebase article in the references. A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server (CVE-2014-3513). A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server (CVE-2014-3567). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 https://access.redhat.com/articles/1232123 https://rhn.redhat.com/errata/RHSA-2014-1652.html ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1e-1.11.mga3 libopenssl-engines1.0.0-1.0.1e-1.11.mga3 libopenssl1.0.0-1.0.1e-1.11.mga3 libopenssl-devel-1.0.1e-1.11.mga3 libopenssl-static-devel-1.0.1e-1.11.mga3 openssl-1.0.1e-8.8.mga4 libopenssl-engines1.0.0-1.0.1e-8.8.mga4 libopenssl1.0.0-1.0.1e-8.8.mga4 libopenssl-devel-1.0.1e-8.8.mga4 libopenssl-static-devel-1.0.1e-8.8.mga4 from SRPMS: openssl-1.0.1e-1.11.mga3.src.rpm openssl-1.0.1e-8.8.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: MGA3TOO => MGA3TOO has_procedure
In VirtualBox, M4, KDE, 32-bit Package(s) under test: openssl apache apache-mod_ssl default install of openssl, apache, apache-mod_ssl [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-8.7.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.7-5.3.mga4.i586 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requireds a cert. install openssl from updates_testing stop then restart Apache server [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-8.8.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-8.8.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.7-5.3.mga4.i586 is already installed Viewing a webpage from the server under test, from a browser local or on the LAN, requireds a cert. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: openssl apache apache-mod_ssl default install of openssl, apache, apache-mod_ssl [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-8.7.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.7-5.3.mga4.x86_64 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requires a cert. [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.130:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 11159 connections in 9.75s; 1144.51 connections/user sec, bytes read 0 11159 connections in 31 real seconds, 0 bytes read per connection ..... install openssl from updates_testing stop then restart Apache server [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-8.8.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.7-5.3.mga4.x86_64 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requires a cert. [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.130:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 11001 connections in 9.55s; 1151.94 connections/user sec, bytes read 0 11001 connections in 31 real seconds, 0 bytes read per connection From another workstation on the LAN: 3361 connections in 20.47s; 164.19 connections/user sec, bytes read 0 3361 connections in 31 real seconds, 0 bytes read per connection Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-32-OK
In VirtualBox, M4, KDE, 32-bit [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-8.8.mga4.x86_64 is already installed [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.88:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 6111 connections in 11.17s; 547.09 connections/user sec, bytes read 0 6111 connections in 31 real seconds, 0 bytes read per connection From another workstation on the LAN: 2915 connections in 17.48s; 166.76 connections/user sec, bytes read 0 2915 connections in 31 real seconds, 0 bytes read per connection
In VirtualBox, M3, KDE, 32-bit Package(s) under test: openssl apache apache-mod_ssl default install of openssl, apache, apache-mod_ssl [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-1.10.mga3.i586 is already installed Marking openssl as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.8.mga3.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.4-7.8.mga3.i586 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requires a cert. [wilcal@localhost ~]$ openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 5996 connections in 11.03s; 543.61 connections/user sec, bytes read 0 5996 connections in 31 real seconds, 0 bytes read per connection ....... From another workstation on the LAN: [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.92:443 2938 connections in 17.69s; 166.08 connections/user sec, bytes read 0 2938 connections in 31 real seconds, 0 bytes read per connection .... install openssl from updates_testing stop then restart Apache server [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-1.11.mga3.i586 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.8.mga3.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.4-7.8.mga3.i586 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requires a cert. [wilcal@localhost ~]$ openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 6001 connections in 11.15s; 538.21 connections/user sec, bytes read 0 6001 connections in 31 real seconds, 0 bytes read per connection From another workstation on the LAN: [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.92:443 2944 connections in 17.94s; 164.10 connections/user sec, bytes read 0 2944 connections in 31 real seconds, 0 bytes read per connection Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-32-OK
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK MGA4-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: openssl apache apache-mod_ssl default install of openssl, apache, apache-mod_ssl [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-1.10.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.8.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.4-7.8.mga3.x86_64 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requires a cert. [wilcal@localhost ~]$ openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 10442 connections in 9.90s; 1054.75 connections/user sec, bytes read 0 10442 connections in 31 real seconds, 0 bytes read per connection ....... From another workstation on the LAN: [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.93:443 3312 connections in 20.15s; 164.37 connections/user sec, bytes read 0 3312 connections in 31 real seconds, 0 bytes read per connection .... install openssl from updates_testing stop then restart Apache server [root@localhost wilcal]# urpmi openssl Package openssl-1.0.1e-1.11.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.8.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.4-7.8.mga3.x86_64 is already installed Viewing a webpage from the server under test, from a browser local or a browser on the LAN, requires a cert. [wilcal@localhost ~]$ openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************........ 10330 connections in 10.01s; 1031.97 connections/user sec, bytes read 0 10330 connections in 31 real seconds, 0 bytes read per connection From another workstation on the LAN: [wilcal@localhost ~]$ openssl s_time -connect 192.168.1.93:443 3426 connections in 20.90s; 163.92 connections/user sec, bytes read 0 3426 connections in 31 real seconds, 0 bytes read per connection Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0416.html
Status: NEW => RESOLVEDResolution: (none) => FIXED