Upstream has issued an advisory on March 27: https://www.openssl.org/news/secadv/20180327.txt The issue is fixed in 1.0.2o. Mageia 5 is also affected. Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron. Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl Advisory: ======================== Updated openssl packages fix security vulnerability: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe (CVE-2018-0739). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739 https://www.openssl.org/news/secadv/20180327.txt ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.2o-1.mga5 libopenssl-engines1.0.0-1.0.2o-1.mga5 libopenssl1.0.0-1.0.2o-1.mga5 libopenssl-devel-1.0.2o-1.mga5 libopenssl-static-devel-1.0.2o-1.mga5 openssl-1.0.2o-1.mga6 libopenssl-engines1.0.0-1.0.2o-1.mga6 libopenssl1.0.0-1.0.2o-1.mga6 libopenssl-devel-1.0.2o-1.mga6 libopenssl-static-devel-1.0.2o-1.mga6 openssl-perl-1.0.2o-1.mga6 from SRPMS: openssl-1.0.2o-1.mga5.src.rpm openssl-1.0.2o-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOOKeywords: (none) => has_procedure
$ uname -a Linux localhost 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 5 packages are going to be installed: - lib64openssl-engines1.0.0-1.0.2o-1.mga6.x86_64 - lib64openssl1.0.0-1.0.2o-1.mga6.x86_64 - openssl-1.0.2o-1.mga6.x86_64 - openssl-perl-1.0.2o-1.mga6.x86_64 - perl-WWW-Curl-4.170.0-12.mga6.x86_64 151KB of additional disk space will be used. 1.6MB of packages will be retrieved. Is it ok to continue? $ openssl version OpenSSL 1.0.2o 27 Mar 2018 $ openssl speed I let it run through the whole gamut of tests Works as designed.
CC: (none) => brtians1Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
$ uname -a Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 4 packages are going to be installed: - lib64openssl-devel-1.0.2o-1.mga5.x86_64 - lib64openssl-engines1.0.0-1.0.2o-1.mga5.x86_64 - lib64openssl1.0.0-1.0.2o-1.mga5.x86_64 - openssl-1.0.2o-1.mga5.x86_64 3.5KB of additional disk space will be used. 2.8MB of packages will be retrieved. Is it ok to continue? $ openssl version OpenSSL 1.0.2o 27 Mar 2018 $ openssl speed let it run through the whole gamut
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
also ran to an internal server $ openssl s_time -connect server:443 1261 connections in 0.80s; 1576.25 connections/user sec, bytes read 0 1261 connections in 31 real seconds, 0 bytes read per connection
$ uname -a Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 20:41:03 UTC 2018 i686 i686 i686 GNU/Linux $ openssl version OpenSSL 1.0.2o 27 Mar 2018 $ openssl speed Doing mdc2 for 3s on 16 size blocks: 1696395 mdc2's in 2.99s etc. etc.
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok
$ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 13 packages are going to be installed: - glibc-devel-2.22-28.mga6.i586 - kernel-userspace-headers-4.14.32-1.mga6.i586 - libopenssl-devel-1.0.2o-1.mga6.i586 - libopenssl-engines1.0.0-1.0.2o-1.mga6.i586 - libopenssl-static-devel-1.0.2o-1.mga6.i586 - libopenssl1.0.0-1.0.2o-1.mga6.i586 - librpm7-4.13.1-3.2.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 - openssl-1.0.2o-1.mga6.i586 - openssl-perl-1.0.2o-1.mga6.i586 - perl-WWW-Curl-4.170.0-12.mga6.i586 - python3-rpm-4.13.1-3.2.mga6.i586 - rpm-4.13.1-3.2.mga6.i586 27MB of additional disk space will be used. 10MB of packages will be retrieved. $ openssl version OpenSSL 1.0.2o 27 Mar 2018 –I went ahead and updated the server openssl as well then ran the below command $ openssl s_time -connect <server> it worked $ openssl speed rsa -multi 2 Forked child 0 Forked child 1 +DTP:512:private:rsa:10 +DTP:512:private:rsa:10 etc. I let the following run until completion $ openssl speed working as designed.
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok => MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok mga6-32-ok
Super work, Brian. Advisoried, validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0190.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED