OpenSSL has issued an advisory on February 16: https://www.openssl.org/news/secadv/20210216.txt The issues are fixed upstream in 1.1.1j. Mageia 7 is also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOO
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => nicolas.salguero, ouaurelienAssignee: bugsquad => pkg-bugs
Debian has issued an advisory for this on February 17: https://www.debian.org/security/2021/dsa-4855
Debian-LTS has issued an advisory for this on February 18: https://www.debian.org/lts/security/2021/dla-2563 They patched 1.1.0* (which we have in Mageia 7).
Debian-LTS has issued an advisory for this on February 18: https://www.debian.org/lts/security/2021/dla-2565 They patched 1.0.2* (which is what compat-openssl10 is).
Ubuntu has issued an advisory for this on February 18: https://ubuntu.com/security/notices/USN-4738-1
src: mageia 7: - openssl-1.1.0l-1.3.mga7 - compat-openssl10-1.0.2u-1.2.mga7 mageia 8: - openssl-1.1.1j-1.mga8
Version: Cauldron => 8CC: (none) => mageia
Package list: compat-openssl10-1.0.2u-1.2.mga7 libcompat-openssl10_1.0.0-1.0.2u-1.2.mga7 libcompat-openssl10-devel-1.0.2u-1.2.mga7 openssl-1.1.0l-1.3.mga7 libopenssl1.1-1.1.0l-1.3.mga7 libopenssl-devel-1.1.0l-1.3.mga7 libopenssl-static-devel-1.1.0l-1.3.mga7 openssl-perl-1.1.0l-1.3.mga7 openssl-1.1.1j-1.mga8 libopenssl-devel-1.1.1j-1.mga8 libopenssl1.1-1.1.1j-1.mga8 openssl-perl-1.1.1j-1.mga8 libopenssl-static-devel-1.1.1j-1.mga8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated openssl and compat-openssl10 packages fix security vulnerabilities: Paul Kehrer discovered that OpenSSL incorrectly handled certain input lengths in EVP functions. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service (CVE-2021-23840). Tavis Ormandy discovered that OpenSSL incorrectly handled parsing issuer fields. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service (CVE-2021-23841). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841 https://www.openssl.org/news/secadv/20210216.txt https://ubuntu.com/security/notices/USN-4738-1
Running this piece of software since assigned: no regressions. SSL OK. MGA8-64-OK MGA7-64-OK Advisory pushed to SVN. Ping QA users.
Keywords: (none) => advisoryCVE: (none) => CVE-2021-23840, CVE-2021-23841Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
MGA7-64 MATE on Peaq C1011 No installation issues Following wiki for tests: $ openssl version -a OpenSSL 1.1.0l 10 Sep 2019 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DPURIFY -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" -DOPENSSLDIR="\"/etc/pki/tls\"" -DENGINESDIR="\"/usr/lib64/engines-1.1\"" -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-1.1" engines: rdrand dynamic # openssl ciphers -v ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 and a lot more .... # openssl ciphers -v -tls1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD and more .... # openssl ciphers -v 'HIGH' ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD etc ...... # openssl ciphers -v 'AES+HIGH' ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD etc ..... Continuing tests ......
CC: (none) => herman.viaene
$ openssl speed Doing md2 for 3s on 16 size blocks: 345506 md2's in 2.99s Doing md2 for 3s on 64 size blocks: 182067 md2's in 3.00s Doing md2 for 3s on 256 size blocks: 62538 md2's in 3.00s Doing md2 for 3s on 1024 size blocks: 17248 md2's in 3.00s Doing md2 for 3s on 8192 size blocks: 2223 md2's in 2.99s Doing md2 for 3s on 16384 size blocks: 1103 md2's in 3.00s etc...... $ openssl speed rsa Doing 512 bit private rsa's for 10s: 38248 512 bit private RSA's in 10.00s Doing 512 bit public rsa's for 10s: 463033 512 bit public RSA's in 10.00s etc .... Other tests from wiki run into problems since syntax and file location changes, not exploring those, this should be enough, I guess.
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0108.html
Status: NEW => RESOLVEDResolution: (none) => FIXED