OpenSSL has issued an advisory today (March 15): https://www.openssl.org/news/secadv/20220315.txt The issue is fixed upstream in 1.1.1n and 3.0.2. Mageia 8 is also affected. As noted in Bug 29768, there is a lingering openssl-1.1.1l-1.mga9.src.rpm in the Cauldron repo that needs to be removed.
Status comment: (none) => Fixed upstream in 1.1.1n and 3.0.2Whiteboard: (none) => MGA8TOOBlocks: (none) => 29768
Ubuntu has issued an advisory for this today (March 15): https://ubuntu.com/security/notices/USN-5328-1
(In reply to David Walser from comment #0) > As noted in Bug 29768, there is a lingering openssl-1.1.1l-1.mga9.src.rpm in > the Cauldron repo that needs to be removed. IIRC it got reinstated to unbreak buildsystem while some bits were not yet properly rebuilt against openssl 3... I'll try to remember to nuke it after the distro rebuild is done the srpm protects the libs from being removed by autocleaner scripts. there is no -devel libs for 1.1.1 so nothing can be rebuilt against it
'openssl' is committed by various people, so having to assign this update globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Infinite loop in BN_mod_sqrt() reachable when parsing certificates. (CVE-2022-0778) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778 https://www.openssl.org/news/secadv/20220315.txt https://ubuntu.com/security/notices/USN-5328-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl1.1-1.1.1n-1.mga8 lib(64)openssl-devel-1.1.1n-1.mga8 lib(64)openssl-static-devel-1.1.1n-1.mga8 openssl-1.1.1n-1.mga8 openssl-perl-1.1.1n-1.mga8 from SRPM: openssl-1.1.1n-1.mga8.src.rpm
Source RPM: openssl-3.0.0-2.mga9.src.rpm, openssl-1.1.1m-1.mga8.src.rpm => openssl-1.1.1m-1.mga8.src.rpmCC: (none) => nicolas.salgueroCVE: (none) => CVE-2022-0778Version: Cauldron => 8Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 1.1.1n and 3.0.2 => (none)Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)
installed openssl $ openssl version OpenSSL 1.1.1n 15 Mar 2022 $ openssl enc -aes-256-cbc -in firefox78_12.txt -out fire.enc $ cat firefox78_12.txt The following 11 packages are going to be installed: blah blah blah $ cat fire.enc Salted__�N�Au�y���&���V����[��-6�'�n���ǎ!%`ѿ��2k��ʰ��������oR��g!m�%�3oqo|kOCvl�%3d�.<�Ǘ_�U�4K�U� ��:Rۦr�l�c�W�v��B�&�H�b_͜6�P�$�N}�i�XG֯W(vճ�&vȅ�}RФg{�"EWެ�aZ!ò��Aa��>,Ź�z0�,��^��*��ɷ%���2ݑ�9�Yo=T|��QtD��ݍ$s�&Ũj ����,�.Ж�xF\@B�*^=�P�_2�h�w*�;�� ���?��_�O�q��Ƨ}˾�����s��!��jId4�a��`�n"����'�������ZݛA.AW�Z[ $ openssl enc -d -aes-256-cbc -in fire.enc -out fire.txt cat fire.txt The following 11 packages are going to be installed: blah blah blah sizes match live 439 Jul 14 2021 firefox78_12.txt live 439 Mar 16 10:51 fire.txt hashes match $ openssl dgst -md5 firefox78_12.txt MD5(firefox78_12.txt)= 33e849ed30b6664813656a4e05264f58 $ openssl dgst -md5 fire.txt MD5(fire.txt)= 33e849ed30b6664813656a4e05264f58 working from my perspective
CC: (none) => brtians1
Installed and tested without issues. This update has been in use on this workstation for several days without issues. Also did some explicit testing by creating keys and certificates. Will mark this update as OK for x86_64 to move this along. Please undo if appropriate. System: Mageia 8, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.15.28-desktop-1.mga8 #1 SMP Fri Mar 11 15:54:53 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep openssl lib64openssl-devel-1.1.1n-1.mga8 libopenssl1.1-1.1.1m-1.mga8 lib64openssl1.1-1.1.1n-1.mga8 openssl-1.1.1n-1.mga8 php-openssl-8.0.17-1.mga8
Whiteboard: (none) => MGA8-64-OKCC: (none) => mageia
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0113.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED