I have uploaded a patched/updated package for Mageia 6. Longer description of the problem can be found here: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ Updated packages make it possible to switch RSA keys on ID cards with ECDSA keys. This will fix the current theoretical possibility of calculating the private key from the public key. There are quite a few packages that need to be updated and we are running against the clock as the government will disable old certificates at the second week of November. Before that users have to update their certificates or they can't use online services that require ID card. Best way for QA is to just install the updates and check that the GUI part of the apps opens up. For functionality testing I'll see help from people who actually use the ID card :) Suggested advisory: ======================== A vulnerability, dubbed ROCA, was identified in an implementation of RSA key generation due to a fault in a code library developed by Infineon Technologies. The affected encryption keys are used to secure many forms of technology, such as hardware chips, authentication tokens, software packages, electronic documents, TLS/HTTPS keys, and PGP. Infineon Technologies’ smartcards, security tokens, and secure hardware chips produced since 2012 use the affected code library. Successful exploitation of this vulnerability results in an attacker being able to derive a private key from the public key, using prime factorization, within a practical time frame. This vulnerability does not affect the RSA encryption algorithm itself, and only affects the implementation of the RSA encryption by Infineon Technologies. This vulnerability also affects Estonian ID cards that were issued after 16th October 2014. With the updated packages the user is able to update his/her certificates and continue using the online services that require ID card. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-153 https://www.politsei.ee/en/uudised/uudis.dot?id=785151 ======================== Updated packages in core/updates_testing: ======================== lib(64)smm-local3-0.15.0-2.1.mga6 lib(64)opensc3-0.15.0-2.1.mga6 opensc-0.15.0-2.1.mga6 lib(64)digidocpp1-3.13.2-1.mga6 libdigidocpp-3.13.2-1.mga6 qdigidoc-3.13.3-1.mga6 qdigidoc-nautilus-3.13.3-1.mga6 qesteidutil-3.12.7-2.mga6 chrome-token-signing-1.0.6-1.mga6 task-esteid-3.13.3-1.mga6 Source RPMs: opensc-0.15.0-2.1.mga6.src.rpm libdigidocpp-3.13.2-1.mga6.src.rpm qdigidoc-3.13.3-1.mga6.src.rpm qesteidutil-3.12.7-2.mga6.src.rpm chrome-token-signing-1.0.6-1.mga6.src.rpm task-esteid-3.13.3-1.mga6.src.rpm
Mageia 6 64bit: Enabled /core/updates/testing repository and updated the above packages. Started qesteidutil application. My ID card was correctly detected and offered a certificate upgrade. The upgrade process went without any problems and the certificates were upgraded successfully. Started qdigidoc application. Was able to open existing ddoc and bdoc digitally signed document containers and sign digitally a new document. Started Firefox and was able using my ID card to log in my internet bank account with PIN1 and to sign digitally the money transfer with PIN2. Mageia 6 32bit: Similar results So - according to my brief testing the above update seems to be OK and ready for promoting to /core/updates repository
CC: (none) => jyri2000
Whiteboard: (none) => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory
QA Contact: (none) => securityComponent: RPM Packages => Security
I'm pretty sure you typoed the CVE.
(In reply to David Walser from comment #2) > I'm pretty sure you typoed the CVE. Indeed :) It's missing 2 numbers. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361 is the correct one.
Thanks you Sander for all your work on this, and Jüri for testing it. @Sander: The 'advisory' keyword is set when the advisory is created & uploaded, not when it is added as a comment to the bug.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
(In reply to Lewis Smith from comment #4) > @Sander: The 'advisory' keyword is set when the advisory is created & > uploaded, not when it is added as a comment to the bug. Thanks for the info. And for validating the update :)
Hi, sysadmins. I can see that some updates have been pushed but opensc is still missing. Without that update the new certificates won't work. Please push this one too =)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0395.html
Status: NEW => RESOLVEDResolution: (none) => FIXED