Bug 29328 - opencryptoki new security issue in handling EC keys
Summary: opencryptoki new security issue in handling EC keys
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-04 20:02 CEST by David Walser
Modified: 2021-09-10 09:30 CEST (History)
3 users (show)

See Also:
Source RPM: opencryptoki-3.15.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-08-04 20:02:51 CEST
Ubuntu has issued an advisory today (August 4):
https://ubuntu.com/security/notices/USN-5031-1

Mageia 8 is also affected.
David Walser 2021-08-04 20:03:10 CEST

Assignee: bugsquad => geiger.david68210
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 David Walser 2021-09-03 19:39:12 CEST
Fedora has issued an advisory for this on September 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLP3UNIVGYENSFGVADMQ2IYP4A3TDYJC/
Comment 2 Marja Van Waes 2021-09-08 22:23:24 CEST
CC'ing all packagers collectively, because daviddavid hasn't been around since three months ago. Any packager should feel free to take this bug.

CC: (none) => marja11, pkg-bugs

Comment 3 Nicolas Salguero 2021-09-10 09:29:46 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

It was discovered that openCryptoki incorrectly handled certain EC keys.  An attacker could possibly use this issue to cause a invalid curve attack.

References:
https://ubuntu.com/security/notices/USN-5031-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLP3UNIVGYENSFGVADMQ2IYP4A3TDYJC/
========================

Updated packages in core/updates_testing:
========================
opencryptoki-3.15.1-1.1.mga8
opencryptoki-swtok-3.15.1-1.1.mga8
opencryptoki-tpmtok-3.15.1-1.1.mga8
opencryptoki-icsftok-3.15.1-1.1.mga8
lib(64)opencryptoki0-3.15.1-1.1.mga8
lib(64)opencryptoki-devel-3.15.1-1.1.mga8

from SRPM:
opencryptoki-3.15.1-1.1.mga8.src.rpm

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED
Status comment: Patch available from Ubuntu => (none)
CC: (none) => nicolas.salguero

Nicolas Salguero 2021-09-10 09:30:04 CEST

Source RPM: opencryptoki-3.16.0-1.mga9.src.rpm => opencryptoki-3.15.1-1.mga8.src.rpm


Note You need to log in before you can comment on or make changes to this bug.