Upstream has issued an advisory today (February 26): https://www.openssl.org/news/secadv/20190226.txt The issue is fixed upstream in 1.0.2r (1.1.0 isn't affected). Updated packages (including compat-openssl10 in Cauldron) uploaded for Mageia 6 and Cauldron. Testing procedure: https://wiki.mageia.org/en/QA_procedure:Openssl Advisory: ======================== Updated openssl packages fix security vulnerability: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data (CVE-2019-1559). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559 https://www.openssl.org/news/secadv/20190226.txt ======================== Updated packages in core/updates_testing: ======================== openssl-1.0.2r-1.mga6 libopenssl-engines1.0.0-1.0.2r-1.mga6 libopenssl1.0.0-1.0.2r-1.mga6 libopenssl-devel-1.0.2r-1.mga6 libopenssl-static-devel-1.0.2r-1.mga6 openssl-perl-1.0.2r-1.mga6 from openssl-1.0.2r-1.mga6.src.rpm
Keywords: (none) => has_procedure
mga6, x86_64 Packages updated cleanly. Testing this later today using the published procedure and including a connection test across the LAN. .
CC: (none) => tarazed25
Installed and tested without issue. Tests included: - apache plus apache_mod (HTTPS requests, sslscan, online SSL testing); - sslscan several servers (HTTPS/443, IMAPS/993); - wget https://example.com/ and other HTTPS URLs; - links https://example.com/ and other HTTPS URLs; - PHP script that make use of php-openssl; - mariadb server (CLI client, phpmyadmin, php scripts); - dovecot server (sslscan, roundcubemail, kmail, k9); - normal workstation usage (lots of stuff uses openssl even if indirectly). System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.100-desktop-1.mga6 #1 SMP Fri Feb 15 09:29:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep openssl | sort lib64openssl1.0.0-1.0.2r-1.mga6 lib64openssl-engines1.0.0-1.0.2r-1.mga6 libopenssl1.0.0-1.0.2r-1.mga6 libopenssl-engines1.0.0-1.0.2r-1.mga6 openssl-1.0.2r-1.mga6 php-openssl-7.2.14-1.mga6
CC: (none) => mageia
$ uname -a Linux localhost.localdomain 4.14.104-desktop-2.mga6 #1 SMP Wed Feb 27 17:08:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux The following 5 packages are going to be installed: - lib64openssl-engines1.0.0-1.0.2r-1.mga6.x86_64 - lib64openssl1.0.0-1.0.2r-1.mga6.x86_64 - openssl-1.0.2r-1.mga6.x86_64 - openssl-perl-1.0.2r-1.mga6.x86_64 - perl-WWW-Curl-4.170.0-12.mga6.x86_64 151KB of additional disk space will be used. 1.6MB of packages will be retrieved. -- after installation -- $ openssl version OpenSSL 1.0.2r 26 Feb 2019 $ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ...etc..etc...etc... $ openssl ciphers -v 'AES+HIGH' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ...etc.... bash-4.3$ openssl speed Doing mdc2 for 3s on 16 size blocks: 1586052 mdc2's in 3.00s Doing mdc2 for 3s on 64 size blocks: 429949 mdc2's in 3.00s Doing mdc2 for 3s on 256 size blocks: 109377 mdc2's in 3.00s Doing mdc2 for 3s on 1024 size blocks: 27287 mdc2's in 3.00s Doing mdc2 for 3s on 8192 size blocks: 3410 mdc2's in 3.00s Doing md4 for 3s on 16 size blocks: 8497095 md4's in 3.00s Doing md4 for 3s on 64 size blocks: 6802666 md4's in 3.00s Doing md4 for 3s on 256 size blocks: 4253263 md4's in 3.00s Doing md4 for 3s on 1024 size blocks: 1707490 md4's in 3.00s Doing md4 for 3s on 8192 size blocks: 259572 md4's in 2.99s Doing md5 for 3s on 16 size blocks: 6421679 md5's in 3.00s Doing md5 for 3s on 64 size blocks: 4922378 md5's in 2.98s Doing md5 for 3s on 256 size blocks: 2935464 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 1121294 md5's in 3.00s Doing md5 for 3s on 8192 size blocks: 164222 md5's in 2.99s ...after about 15 minutes of testing I killed it... That was all of the testing I could do at this time. Looks good to me.
CC: (none) => brtians1
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ran all tests from wiki (except multi-core) including test to a server in the LAN. All output looks OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Marking as OK for x86_64 based on comment 2 and comment 3.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
All looks good to me. Validating. Suggested advisory in Comment 0.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0106.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED