Upstream has issued an advisory today (March 19): http://openssl.org/news/secadv_20150319.txt OpenSSL updated to 1.0.2a in Cauldron SVN. Freeze push requested for Cauldron. OpenSSL updated to 1.0.1m in Mageia 4. Updated package uploaded for Mageia 4. Advisory to come later. For now, see the upstream advisory. Updated packages in core/updates_testing: ======================== openssl-1.0.1m-1.mga4 libopenssl-engines1.0.0-1.0.1m-1.mga4 libopenssl1.0.0-1.0.1m-1.mga4 libopenssl-devel-1.0.1m-1.mga4 libopenssl-static-devel-1.0.1m-1.mga4 from openssl-1.0.1m-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: (none) => has_procedure
Advisory: ======================== Updated openssl packages fix security vulnerabilities: The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication (CVE-2015-0286). Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Certificate parsing, OpenSSL clients, and OpenSSL servers are not affected (CVE-2015-0287). The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. OpenSSL clients and servers are not affected (CVE-2015-0289). A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message (CVE-2015-0293). A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare (CVE-2015-0209). The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice (CVE-2015-0288). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288 http://openssl.org/news/secadv_20150319.txt
Testing complete Mageia 4 i586 using the procedure on the wiki.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing mga4 64
Testing complete mga4 64
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0111.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2015-0292, not sure how I missed that. Fixed advisory. Advisory: ======================== Updated openssl packages fix security vulnerabilities: A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare (CVE-2015-0209). The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication (CVE-2015-0286). Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Certificate parsing, OpenSSL clients, and OpenSSL servers are not affected (CVE-2015-0287). The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice (CVE-2015-0288). The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. OpenSSL clients and servers are not affected (CVE-2015-0289). A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption. This was addressed in previous versions of OpenSSL but has not been included in any security advisory until now (CVE-2015-0292). A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message (CVE-2015-0293). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293 http://openssl.org/news/secadv_20150319.txt
LWN reference for CVE-2015-0293: http://lwn.net/Vulnerabilities/637408/
URL: (none) => http://lwn.net/Vulnerabilities/637405/