Upstream has issued an advisory today (July 9): https://www.openssl.org/news/secadv_20150709.txt Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated openssl packages fix security vulnerability: During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate (CVE-2015-1793). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793 https://www.openssl.org/news/secadv_20150709.txt ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.1p-1.mga4 libopenssl-engines1.0.0-1.0.1p-1.mga4 libopenssl1.0.0-1.0.1p-1.mga4 libopenssl-devel-1.0.1p-1.mga4 libopenssl-static-devel-1.0.1p-1.mga4 openssl-1.0.2d-1.mga5 libopenssl-engines1.0.0-1.0.2d-1.mga5 libopenssl1.0.0-1.0.2d-1.mga5 libopenssl-devel-1.0.2d-1.mga5 libopenssl-static-devel-1.0.2d-1.mga5 from SRPMS: openssl-1.0.1p-1.mga4.src.rpm openssl-1.0.2d-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: (none) => MGA4TOO has_procedure
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory
Running openssl s_time -connect 127.0.0.1:443 I'm getting ERROR 140324049786512:error:02002063:system library:connect:Cannot assign requested address:bss_conn.c:246:host=127.0.0.1:443 140324049786512:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:249: I haven't checked to see if it's a regression or not.
Should have added, comment 3 is from a test on Mageia 4 x86_64.
(In reply to Dave Hodgins from comment #3) > Running openssl s_time -connect 127.0.0.1:443 I'm getting > ERROR > 140324049786512:error:02002063:system library:connect:Cannot assign > requested address:bss_conn.c:246:host=127.0.0.1:443 > 140324049786512:error:20073067:BIO routines:CONN_STATE:connect > error:bss_conn.c:249: > > I haven't checked to see if it's a regression or not. That's because you don't have httpd running. It works if you do.
CC: (none) => juan.baptiste
In VirtualBox, M4, KDE, 32-bit Got all the way through: https://wiki.mageia.org/en/QA_procedure:Openssl Till the last step: If you don't have a server to test that with then you can emulate one using the s_server option: Then executed final step and got this following error: [root@localhost wilcal]# openssl s_time -connect myhost:4433 -www / -new -ssl3 No CIPHER specified Collecting connection statistics for 30 seconds ERROR 3073136316:error:2006A066:BIO routines:BIO_get_host_ip:bad hostname lookup:b_sock.c:146:host=myhost What am I doing wrong? I do have httpd running.
CC: (none) => wilcal.int
(In reply to William Kenney from comment #6) > In VirtualBox, M4, KDE, 32-bit > > Got all the way through: > > https://wiki.mageia.org/en/QA_procedure:Openssl > > Till the last step: > > If you don't have a server to test that with then you > can emulate one using the s_server option: > > Then executed final step and got this following error: > > [root@localhost wilcal]# openssl s_time -connect myhost:4433 -www / -new > -ssl3 > No CIPHER specified > Collecting connection statistics for 30 seconds > ERROR > 3073136316:error:2006A066:BIO routines:BIO_get_host_ip:bad hostname > lookup:b_sock.c:146:host=myhost > > What am I doing wrong? I do have httpd running. Since you do have httpd, you can test against that. You don't need to do this last step. If you still want to try it that way, the error you're getting is because it's failing to do a DNS lookup on myhost. You need to replace myhost with the hostname of the machine running the openssl test server with the previous command (right above it on the wiki page).
Testing complete Mageia 4 i586 and Mageia 5 i586 using the procedure.
Whiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK advisory
Like this: [root@localhost wilcal]# openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************************************************........************** 6360 connections in 10.31s; 616.88 connections/user sec, bytes read 0 6360 connections in 31 real seconds, 0 bytes read per connection and on and on and on.
(In reply to William Kenney from comment #9) > Like this: > > [root@localhost wilcal]# openssl s_time -connect localhost:443 > No CIPHER specified > Collecting connection statistics for 30 seconds > *****************************************************........************** > 6360 connections in 10.31s; 616.88 connections/user sec, bytes read 0 > 6360 connections in 31 real seconds, 0 bytes read per connection > > and on and on and on. That's better.
(In reply to David Walser from comment #5) > (In reply to Dave Hodgins from comment #3) > > Running openssl s_time -connect 127.0.0.1:443 I'm getting > > ERROR > > 140324049786512:error:02002063:system library:connect:Cannot assign > > requested address:bss_conn.c:246:host=127.0.0.1:443 > > 140324049786512:error:20073067:BIO routines:CONN_STATE:connect > > error:bss_conn.c:249: > > > > I haven't checked to see if it's a regression or not. > > That's because you don't have httpd running. It works if you do. I'd forgotten that I'd disabled it to speed up boot time. With it running, I'm still getting ERROR 139647699248784:error:02002063:system library:connect:Cannot assign requested address:bss_conn.c:246:host=127.0.0.1:443 139647699248784:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:249: I probably have something wrong in the apache config, though I don't know what. # netstat -tapn|grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3802/httpd
I'm getting the same error with the prior version of openssl, so it's not a regression.
(In reply to Dave Hodgins from comment #12) > I'm getting the same error with the prior version of openssl, so it's not > a regression. Does browsing to https://localhost/ in a web browser work?
(In reply to David Walser from comment #13) > (In reply to Dave Hodgins from comment #12) > > I'm getting the same error with the prior version of openssl, so it's not > > a regression. > > Does browsing to https://localhost/ in a web browser work? Yes, though I get a certificate error as the cert is for localhost, while the hostname is x3.hodgins.homeip.net (It's running Mageia 4, I just haven't updated the hostname yet).
(In reply to Dave Hodgins from comment #14) > (In reply to David Walser from comment #13) > > (In reply to Dave Hodgins from comment #12) > > > I'm getting the same error with the prior version of openssl, so it's not > > > a regression. > > > > Does browsing to https://localhost/ in a web browser work? > > Yes, though I get a certificate error as the cert is for localhost, while > the hostname is x3.hodgins.homeip.net (It's running Mageia 4, I just haven't > updated the hostname yet). My certs are for localhost even though the hostname is different, so that's not the issue. Like you said, it's not a regression for you, so something peculiar must be happening on your machine, but it isn't obvious what it is. It sounds like it should work.
It's working with https websites, so I'm not worried about it. It just seems to be the test procedure that doesn't work. It's probably better to just use a browser on https sites, to see if it works. Validating the update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
It depends on which browser. I don't know off the top of my head which ones use OpenSSL. Firefox uses NSS. I do think this is ready for validation though, so thanks for that.
I used opera in my tests, but just ran konqueror under strace and it's loading /lib64/libssl.so.1.0.0, and also works, so I'm pretty sure it is ok.
(In reply to Dave Hodgins from comment #18) > I used opera in my tests, but just ran konqueror under strace and it's > loading /lib64/libssl.so.1.0.0, and also works, so I'm pretty sure it > is ok. Cool, that sounds right. Thanks Dave.
I have to step back from this one. I got totally confused. Sometimes things work sometimes they don't for me.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0274.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/650732/