Upstream has issued an advisory on November 2: https://www.openssl.org/news/secadv/20171102.txt The issues are fixed in 1.0.2m. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing guillomovitch who touched the package most often.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, marja11
I am working on this. If guillomovitch wants to go ahead with this then just leave a comment.
CC: (none) => jackal.jAssignee: pkg-bugs => jackal.j
It looks like all three of us have been working on this. Guillaume updated openssl in mga6 SVN (but forgot to commit it to mga5 SVN and didn't push a build). I had to commit the update to mga5 SVN. Updating openssl 1.1 in Cauldron took a bit of work, but updating compat-openssl10 was a LOT of work. Unfortunately that package had been based on Fedora's package instead of our own and wasn't even up to date, so it took dismantling a bunch of extra Fedora stuff to even get it to update or build. Probably more work should be done on it to rebase it on our package and not Fedora's mess.
I didn't really do much at all, was trying a hand at cauldron version of openssl, and it was giving patching problems.
Yeah, I had to rediff a few patches and drop a few that were upstreamed.
Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron. Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl Advisory: ======================== Updated openssl packages fix security vulnerabilities: If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format (CVE-2017-3735). There is a carry propagating bug in the x86_64 Montgomery squaring procedure (CVE-2017-3736). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736 https://www.openssl.org/news/secadv/20170828.txt https://www.openssl.org/news/secadv/20171102.txt ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.2m-1.mga5 libopenssl-engines1.0.0-1.0.2m-1.mga5 libopenssl1.0.0-1.0.2m-1.mga5 libopenssl-devel-1.0.2m-1.mga5 libopenssl-static-devel-1.0.2m-1.mga5 openssl-1.0.2m-1.mga6 libopenssl-engines1.0.0-1.0.2m-1.mga6 libopenssl1.0.0-1.0.2m-1.mga6 libopenssl-devel-1.0.2m-1.mga6 libopenssl-static-devel-1.0.2m-1.mga6 openssl-perl-1.0.2m-1.mga6 from SRPMS: openssl-1.0.2m-1.mga5.src.rpm openssl-1.0.2m-1.mga6.src.rpm
Assignee: jackal.j => qa-bugsKeywords: (none) => has_procedure
In VirtualBox, M6, Plasma, 64-bit Package(s) under test: openssl apache-mod_ssl default install of openssl Open su terminal Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts leave the terminal open [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2l-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.27-1.mga6.x86_64 is already installed [[root@localhost wilcal]# openssl version -a [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2l 25 May 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)...... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another system on the LAN in a terminal: [root@localhost wilcal]# openssl s_time -connect 192.168.1.83:443 No CIPHER specified Collecting connection statistics for 30 seconds *******************************************.........*************************** 11306 connections in 5.17s; 2186.85 connections/user sec, bytes read 0 11306 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.83: [root@localhost wilcal]# openssl s_client -connect 192.168.1.83:443 [root@localhost wilcal]# openssl s_client -connect 192.168.1.83:443 CONNECTED(00000003) depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify return:1 --- Certificate chain...... 0 s:/CN=localhost/OU=default httpd cert for localhost/emailAddress=root@localhost i:/CN=localhost/OU=default httpd cert for localhost/emailAddress=root@localhost --- Server certificate........... Negotiates certs and keys. install openssl & apache-mod_ssl from updates_testing Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts leave the terminal open [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2m-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.27-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2m 2 Nov 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)....... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another system on the LAN in a terminal: [root@localhost wilcal]# openssl s_time -connect 192.168.1.83:443 No CIPHER specified Collecting connection statistics for 30 seconds ************************************************......****************** 11518 connections in 5.20s; 2215.00 connections/user sec, bytes read 0 11518 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.83: [root@localhost wilcal]# openssl s_client -connect 192.168.1.83:443 CONNECTED(00000003) depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify return:1 --- Certificate chain....... Negotiates certs and keys.
CC: (none) => wilcal.int
I understand the idea of QA checks before an update, but what you're doing here seems to be a very limited subset of automated tests already performed during package build... Excepted testing the package upgrade procedure itself, I'm not sure there is any added value having humans doing what computer already do.
Keywords: (none) => advisory
MGA5-32 on Asus A6000VM Xfce No installation issues Following comment 7: # openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT on other terminal tab: ]# openssl version -a OpenSSL 1.0.2m 2 Nov 2017 built on: reproducible build, date unspecified platform: linux-elf options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: dynamic and # openssl ciphers -v produces a lot of sensible output # openssl ciphers -v -tls1 same as well for HIGH and AES+HIGH and openssl speed also works OK Commands from other PC on the LAN also doing OK as above, with the remark that httpd has to run on the SSL under test!!!
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
In VirtualBox, M6, Plasma, 32-bit Package(s) under test: openssl apache-mod_ssl default install of openssl Open su terminal Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts leave the terminal open [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2l-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.27-1.mga6.i586 is already installed [[root@localhost wilcal]# openssl version -a [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2l 25 May 2017 built on: reproducible build, date unspecified platform: linux-elf options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)...... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another system on the LAN in a terminal: [root@localhost wilcal]# openssl s_time -connect 192.168.1.84:443 No CIPHER specified Collecting connection statistics for 30 seconds *******************************************.........*************************** 3656 connections in 1.73s; 2113.29 connections/user sec, bytes read 0 3656 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.84: [root@localhost wilcal]# openssl s_client -connect 192.168.1.84:443 CONNECTED(00000003) depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify return:1 --- Certificate chain 0 s:/CN=localhost/OU=default httpd cert for localhost/emailAddress=root@localhost i:/CN=localhost/OU=default httpd cert for localhost/emailAddress=root@localhost --- Server certificate........... Negotiates certs and keys. install openssl & apache-mod_ssl from updates_testing Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts leave the terminal open [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2m-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.27-1.1.mga6.i586 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2m 2 Nov 2017 built on: reproducible build, date unspecified platform: linux-elf options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)....... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another system on the LAN in a terminal: [root@localhost wilcal]# openssl s_time -connect 192.168.1.84:443 No CIPHER specified Collecting connection statistics for 30 seconds ************************************************......****************** 3630 connections in 1.75s; 2074.29 connections/user sec, bytes read 0 3630 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.83: [root@localhost wilcal]# openssl s_client -connect 192.168.1.84:443 CONNECTED(00000003) depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify return:1 --- Certificate chain....... Negotiates certs and keys.
In VirtualBox, M5.1, KDE, 64-bit Package(s) under test: openssl apache-mod_ssl default install of openssl Open su terminal Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts leave the terminal open [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2k-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.10-16.4.mga5.x86_64 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2k 26 Jan 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another system on the LAN in a terminal: [root@localhost wilcal]# openssl s_time -connect 192.168.1.85:443 No CIPHER specified Collecting connection statistics for 30 seconds *******************************************.........*************************** 11511 connections in 5.23s; 2200.96 connections/user sec, bytes read 0 11511 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.85: [root@localhost wilcal]# openssl s_client -connect 192.168.1.85:443 CONNECTED(00000003) depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify return:1 --- Certificate chain 0 s:/CN=localhost/OU=default httpd cert for localhost/emailAddress=root@localhost i:/CN=localhost/OU=default httpd cert for localhost/emailAddress=root@localhost --- Server certificate........... Negotiates certs and keys. install openssl & apache-mod_ssl from updates_testing Start ssl server: [root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www Using default temp DH parameters ACCEPT server starts leave the terminal open [root@localhost wilcal]# urpmi openssl Package openssl-1.0.2m-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_ssl Package apache-mod_ssl-2.4.10-16.6.mga5.x86_64 is already installed [root@localhost wilcal]# openssl version -a OpenSSL 1.0.2m 2 Nov 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)....... [root@localhost wilcal]# openssl ciphers -v [root@localhost wilcal]# openssl ciphers -v -tls1 [root@localhost wilcal]# openssl ciphers -v 'HIGH' [root@localhost wilcal]# openssl ciphers -v 'AES+HIGH' [root@localhost wilcal]# openssl speed all work From another system on the LAN in a terminal: [root@localhost wilcal]# openssl s_time -connect 192.168.1.85:443 No CIPHER specified Collecting connection statistics for 30 seconds ************************************************......****************** 11468 connections in 5.17s; 2218.18 connections/user sec, bytes read 0 11468 connections in 31 real seconds, 0 bytes read per connection From another system on the LAN, test system is at 192.168.85: [root@localhost wilcal]# openssl s_client -connect 192.168.1.85:443 CONNECTED(00000003) depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost, OU = default httpd cert for localhost, emailAddress = root@localhost verify return:1 --- Certificate chain....... Negotiates certs and keys.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
We've kinda over tested this now. If there's no objections I'll validate it in 24-hours. Unless someone beats me.
This update works fine. Testing complete for MGA5/6, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0405.html
Status: NEW => RESOLVEDResolution: (none) => FIXED