Upstream has issued advisories on October 29/30 and November 2: https://www.openssl.org/news/secadv/20181029.txt https://www.openssl.org/news/secadv/20181030.txt https://www.openssl.org/news/secadv/20181112.txt The October 29 advisory (CVE-2018-0735) only affects Cauldron. The issues are fixed upstream in 1.0.2q and 1.1.0j. compat-openssl10 in Cauldron and openssl in Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers.
CC: (none) => geiger.david68210, guillomovitch, marja11, nicolas.salguero, rverscheldeAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). (CVE-2018-0734) Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. (CVE-2018-5407) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407 ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.2q-1.mga6 lib(64)openssl-engines1.0.0-1.0.2q-1.mga6 lib(64)openssl1.0.0-1.0.2q-1.mga6 lib(64)openssl-devel-1.0.2q-1.mga6 lib(64)openssl-static-devel-1.0.2q-1.mga6 openssl-perl-1.0.2q-1.mga6 from SRPMS: openssl-1.0.2q-1.mga6.src.rpm
CVE: (none) => CVE-2018-0734, CVE-2018-5407Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Installed and tested without issues. Did some minimal explicit testing using the openssl command and have about 40 processes using openssl libs and there were no regressions. Seems OK here. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ grep /usr/lib64/libssl.so.1.0.0 [0-9]*/maps | egrep -o '^[0-9]+' | sort -u | wc -l 40 $ openssl s_client -connect example.com:443 CONNECTED(00000003) <SNIP> $ openssl speed <SNIP> $ rpm -qa | egrep openssl.*1.0.2 | sort -u lib64openssl1.0.0-1.0.2q-1.mga6 lib64openssl-engines1.0.0-1.0.2q-1.mga6 libopenssl1.0.0-1.0.2q-1.mga6 libopenssl-engines1.0.0-1.0.2q-1.mga6 openssl-1.0.2q-1.mga6
CC: (none) => mageia
I forgot some references. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). (CVE-2018-0734) Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. (CVE-2018-5407) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407 https://www.openssl.org/news/secadv/20181030.txt https://www.openssl.org/news/secadv/20181112.txt ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.2q-1.mga6 lib(64)openssl-engines1.0.0-1.0.2q-1.mga6 lib(64)openssl1.0.0-1.0.2q-1.mga6 lib(64)openssl-devel-1.0.2q-1.mga6 lib(64)openssl-static-devel-1.0.2q-1.mga6 openssl-perl-1.0.2q-1.mga6 from SRPMS: openssl-1.0.2q-1.mga6.src.rpm
Have this update installed for a week without issues so I'm giving it the OK for x86_64 to push it forward. Please, remove the OK if you think otherwise.
Whiteboard: (none) => MGA6-64-OK
(In reply to PC LX from comment #5) > Have this update installed for a week without issues so I'm giving it the OK > for x86_64 to push it forward. Thanks for that. Advisory from comment 4; validating.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0470.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED