https://linuxsecurity.com/advisories/debian/debian-dsa-4594-1-openssl1-0-security-update-17-13-06
CVE: (none) => CVE-2019-1551Component: RPM Packages => Security
Suggested advisory: ======================== The updated packages fix a security vulnerability: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. (CVE-2019-1551) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551 https://linuxsecurity.com/advisories/debian/debian-dsa-4594-1-openssl1-0-security-update-17-13-06 ======================== Updated packages in core/updates_testing: ======================== compat-openssl10-1.0.2u-1.mga7 lib(64)compat-openssl10_1.0.0-1.0.2u-1.mga7 lib(64)compat-openssl10-devel-1.0.2u-1.mga7 from SRPMS: compat-openssl10-1.0.2u-1.mga7.src.rpm
Source RPM: openssl => compat-openssl10-1.0.2t-1.mga7.src.rpmStatus: NEW => ASSIGNEDCC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs
Upstream advisory: https://www.openssl.org/news/secadv/20191206.txt Actual Debian advisory: https://www.debian.org/security/2019/dsa-4594 This issue likely affects openssl 1.1.0 as well (if it affects 1.0 and 1.1.1, how could it not?), but upstream isn't saying because they're not supporting it anymore. We need to get a patch from somewhere or backport the commit referenced in the upstream advisory.
Keywords: (none) => feedbackQA Contact: (none) => securitySummary: Guido Vranken discovered an overflow bug in the x64_64 Montgomery squaring procedure => openssl new security issue CVE-2019-1551
Updated packages in core/updates_testing: ======================== compat-openssl10-1.0.2u-1.mga7 lib(64)compat-openssl10_1.0.0-1.0.2u-1.mga7 lib(64)compat-openssl10-devel-1.0.2u-1.mga7 openssl-1.1.0l-1.1.mga7 lib(64)openssl1.1-1.1.0l-1.1.mga7 lib(64)openssl-devel-1.1.0l-1.1.mga7 lib(64)openssl-static-devel-1.1.0l-1.1.mga7 openssl-perl-1.1.0l-1.1.mga7 from SRPMS: compat-openssl10-1.0.2u-1.mga7.src.rpm openssl-1.1.0l-1.1.mga7.src.rpm
Source RPM: compat-openssl10-1.0.2t-1.mga7.src.rpm => compat-openssl10-1.0.2t-1.mga7.src.rpm, openssl-1.1.0l-1.mga7.src.rpmKeywords: feedback => (none)
Advisory: ======================== Updated compat-openssl10 and openssl packages fix security vulnerability: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME (CVE-2019-1551). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551 https://www.openssl.org/news/secadv/20191206.txt
Installed and tested without issue. The openssl packages are used by lost of other packages in the system and after several days of usage nothing broke. Also did some tests with the openssl command (e.g. create keys and certificates), so I'm giving it an OK. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep 'openssl.*1\.(0|1)' | sort lib64compat-openssl10_1.0.0-1.0.2u-1.mga7 lib64openssl1.1-1.1.0l-1.1.mga7 libopenssl1.1-1.1.0l-1.1.mga7 openssl-1.1.0l-1.1.mga7
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Thank you, PC LX. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0023.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED