OpenSSL has issued an advisory today (May 3): https://www.openssl.org/news/secadv/20160503.txt Updated packages uploaded for Mageia 5 and Cauldron. Note that CVE-2016-2176 only affects systems that use EBCDIC, and ours uses ASCII, so we are not impacted. Advisory: ======================== Updated openssl packages fix security vulnerabilities: An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption (CVE-2016-2105). An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption (CVE-2016-2106). A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI (CVE-2016-2107). When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory (CVE-2016-2109). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2106 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109 https://www.openssl.org/news/secadv/20160503.txt ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.2h-1.mga5 libopenssl-engines1.0.0-1.0.2h-1.mga5 libopenssl1.0.0-1.0.2h-1.mga5 libopenssl-devel-1.0.2h-1.mga5 libopenssl-static-devel-1.0.2h-1.mga5 from openssl-1.0.2h-1.mga5.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl
Whiteboard: (none) => has_procedure
MGA5-32 on AcerD620 Xfce No installation issues. Followed above procedure, and all well until last one: run as root: # openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT run in second konsole as normal user or as root: $ openssl s_time -connect mach6:4433 -www / -new -ssl3 No CIPHER specified Collecting connection statistics for 30 seconds ERROR 3073263292:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40 and on the server window appears: 3073324732:error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960: ACCEPT If I give the command at the client konsole: $ openssl s_client -tls1 -connect mach6:4433 CONNECTED(00000003) depth=0 CN = mach6.hviaene.thuis, OU = default httpd cert for .... and a lot more, andnothing at the server konsole. Some default configuration mismatch???
CC: (none) => herman.viaene
testing X86_64 on HP Z600
CC: (none) => paul.blackburn
testing X86_64 on HP Z600 - completed OK all but last two steps in https://wiki.mageia.org/en/QA_procedure:Openssl (my todo: sort out certificates to complete last two tests)
URL: (none) => http://lwn.net/Vulnerabilities/686085/
testing X86_64 on HP Z600 test to remote server (A Mageia 5 wiki server with self-signed certificate) from https://wiki.mageia.org/en/QA_procedure:Openssl this test is: $ openssl s_time -connect <remote.host>:443 [user@z600-mageia5 ~]$ openssl s_time -connect wiki.home:443 No CIPHER specified Collecting connection statistics for 30 seconds ************************** [text deleted for brevity] 6765 connections in 4.73s; 1430.23 connections/user sec, bytes read 0 6765 connections in 31 real seconds, 0 bytes read per connection Now timing with session id reuse. starting rrrrrrrrrrrrrrrrrrrr [text deleted for brevity] rrrrrrrrrrrrrrrrrrrrrrrERROR 140375622497936:error:02002063:system library:connect:Cannot assign requested address:bss_conn.c:246:host=wiki.home:443 140375622497936:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:249:
testing X86_64 on HP Z600 test to remote server (Mageia 5 wiki server with self-signed certificate) from https://wiki.mageia.org/en/QA_procedure:Openssl this test is: ------------------------------------------------------------------------ # on one host, set up the server (using default port 4433) # ( One needs to install apache-mod_ssl for generating the *.pem files ) openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www # on second host (or even the same one), run s_time openssl s_time -connect myhost:4433 -www / -new -ssl3 ------------------------------------------------------------------------ Results: 1) Start on remote server: [root@wiki ~]# openssl s_server -cert /etc/pki/tls/certs/server.crt -key /etc/pki/tls/private/server.key.unsecure -www Using default temp DH parameters ACCEPT 2) Make connection: [user@z600-mageia5 ~]$ openssl s_time -connect wiki.home:4433 -www / -new -ssl3 No CIPHER specified Collecting connection statistics for 30 seconds ERROR 139933287941776:error:0200206E:system library:connect:Connection timed out:bss_conn.c:246:host=wiki.home:4433 139933287941776:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:249:
Followed the test procedure and noticed no issues. For the last steps, I used a self signed certificate for localhost. Also tested using example.com:443. $ uname -a Linux marte 4.4.9-desktop-1.mga5 #1 SMP Tue May 3 20:38:36 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
CC: (none) => mageia
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openssl apache-mod_ssl default install of openssl Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2g-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.10-16.3.mga5.i586 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2g 1 Mar 2016 built on: reproducible build, date unspecified platform: linux-elf options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)..... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another terminal: [root@localhost wilcal]# openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************************************************........************** 3423 connections in 5.03s; 680.52 connections/user sec, bytes read 0 3423 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.143: [wilcal@localhost ~]$ openssl s_client -connect 192.168.1.143:443 CONNECTED(00000003) depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 --- Certificate chain......... Negotiates certs and keys. install openssl from updates_testing Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2h-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.10-16.3.mga5.i586 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2h 3 May 2016 built on: reproducible build, date unspecified platform: linux-elf options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)....... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another terminal: [root@localhost wilcal]# openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************************************************........************** 3319 connections in 5.03s; 659.84 connections/user sec, bytes read 0 3319 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.143: [wilcal@localhost ~]$ openssl s_client -connect 192.168.1.143:443 CONNECTED(00000003) depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 --- Certificate chain......... Negotiates certs and keys.
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: openssl apache-mod_ssl default install of openssl Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2g-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.10-16.3.mga5.x86_64 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2g 1 Mar 2016 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)..... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another terminal: [root@localhost wilcal]# openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************************************************........************** 3423 connections in 5.03s; 680.52 connections/user sec, bytes read 0 3423 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.141: [wilcal@localhost ~]$ openssl s_client -connect 192.168.1.141:443 CONNECTED(00000003) depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain verify return:1 --- Certificate chain........ Negotiates certs and keys. install openssl from updates_testing Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts root@localhost wilcal]# urpmi openssl Package openssl-1.0.2h-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.10-16.3.mga5.x86_64 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2h 3 May 2016 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)............ [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another terminal: [root@localhost wilcal]# openssl s_time -connect localhost:443 No CIPHER specified Collecting connection statistics for 30 seconds *****************************************************........************** 13593 connections in 3.02s; 4500.99 connections/user sec, bytes read 0 13593 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.141: [wilcal@localhost ~]$ openssl s_client -connect 192.168.1.141:443 CONNECTED(00000003) depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain verify return:1 --- Certificate chain......... Negotiates certs and keys.
David this looks good. What you say?
(In reply to William Kenney from comment #10) > David this looks good. What you say? Yes.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0169.html
Status: NEW => RESOLVEDResolution: (none) => FIXED