Bug 30174 - openssl new security issue CVE-2022-0778
Summary: openssl new security issue CVE-2022-0778
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 29768
  Show dependency treegraph
 
Reported: 2022-03-15 18:18 CET by David Walser
Modified: 2022-03-23 09:37 CET (History)
6 users (show)

See Also:
Source RPM: openssl-1.1.1m-1.mga8.src.rpm
CVE: CVE-2022-0778
Status comment:


Attachments

Description David Walser 2022-03-15 18:18:59 CET
OpenSSL has issued an advisory today (March 15):
https://www.openssl.org/news/secadv/20220315.txt

The issue is fixed upstream in 1.1.1n and 3.0.2.

Mageia 8 is also affected.

As noted in Bug 29768, there is a lingering openssl-1.1.1l-1.mga9.src.rpm in the Cauldron repo that needs to be removed.
David Walser 2022-03-15 18:19:18 CET

Status comment: (none) => Fixed upstream in 1.1.1n and 3.0.2
Whiteboard: (none) => MGA8TOO
Blocks: (none) => 29768

Comment 1 David Walser 2022-03-15 19:43:54 CET
Ubuntu has issued an advisory for this today (March 15):
https://ubuntu.com/security/notices/USN-5328-1
Comment 2 Thomas Backlund 2022-03-15 20:28:05 CET
(In reply to David Walser from comment #0)


> As noted in Bug 29768, there is a lingering openssl-1.1.1l-1.mga9.src.rpm in
> the Cauldron repo that needs to be removed.

IIRC it got reinstated to unbreak buildsystem while some  bits were not yet properly rebuilt against openssl 3... I'll try to remember to nuke it after the distro rebuild is done

the srpm protects the libs from being removed by autocleaner scripts.
there is no -devel libs for 1.1.1 so nothing can be rebuilt against it
Comment 3 Lewis Smith 2022-03-15 21:02:06 CET
'openssl' is committed by various people, so having to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 4 Nicolas Salguero 2022-03-16 11:05:11 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates. (CVE-2022-0778)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://www.openssl.org/news/secadv/20220315.txt
https://ubuntu.com/security/notices/USN-5328-1
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl1.1-1.1.1n-1.mga8
lib(64)openssl-devel-1.1.1n-1.mga8
lib(64)openssl-static-devel-1.1.1n-1.mga8
openssl-1.1.1n-1.mga8
openssl-perl-1.1.1n-1.mga8

from SRPM:
openssl-1.1.1n-1.mga8.src.rpm

Source RPM: openssl-3.0.0-2.mga9.src.rpm, openssl-1.1.1m-1.mga8.src.rpm => openssl-1.1.1m-1.mga8.src.rpm
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-0778
Version: Cauldron => 8
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.1.1n and 3.0.2 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 5 Brian Rockwell 2022-03-16 17:02:17 CET
installed openssl

$ openssl version
OpenSSL 1.1.1n  15 Mar 2022


$ openssl enc -aes-256-cbc -in firefox78_12.txt -out fire.enc

$ cat firefox78_12.txt
The following 11 packages are going to be installed:

blah blah blah

$ cat fire.enc
Salted__�N�Au�y���&���V����[��-6�'�n���ǎ!%`ѿ��2k��ʰ��������oR��g!m�%�3oqo|kOCvl�%3d�.<�Ǘ_�U�4K�U� ��:Rۦr�l�c�W�v��B�&�H�b_͜6�P�$�N}�i�XG֯W𴡚(vճ�&vȅ�}RФg{�"EWެ�aZ!ò��Aa��>,Ź�z0�,��^��*��ɷ%���2ݑ�9�Yo=T|��QtD��ݍ$s�&Ũj
����,�.�xF\@B�*^=�P�_2�h�w*�;��
���?��_�O�q��Ƨ}˾�����s��!��jId4�a��`�n"����'�������ZݛA.AW�Z΋[


$ openssl enc -d -aes-256-cbc -in fire.enc -out fire.txt

 cat fire.txt
The following 11 packages are going to be installed:

blah blah blah

sizes match

live 439 Jul 14  2021 firefox78_12.txt
live 439 Mar 16 10:51 fire.txt

hashes match

$ openssl dgst -md5 firefox78_12.txt
MD5(firefox78_12.txt)= 33e849ed30b6664813656a4e05264f58
$ openssl dgst -md5 fire.txt
MD5(fire.txt)= 33e849ed30b6664813656a4e05264f58


working from my perspective

CC: (none) => brtians1

Comment 6 PC LX 2022-03-21 20:49:08 CET
Installed and tested without issues.

This update has been in use on this workstation for several days without issues.
Also did some explicit testing by creating keys and certificates.
Will mark this update as OK for x86_64 to move this along.
Please undo if appropriate.


System: Mageia 8, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.15.28-desktop-1.mga8 #1 SMP Fri Mar 11 15:54:53 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep openssl
lib64openssl-devel-1.1.1n-1.mga8
libopenssl1.1-1.1.1m-1.mga8
lib64openssl1.1-1.1.1n-1.mga8
openssl-1.1.1n-1.mga8
php-openssl-8.0.17-1.mga8

Whiteboard: (none) => MGA8-64-OK
CC: (none) => mageia

Comment 7 Thomas Andrews 2022-03-22 15:21:06 CET
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-22 18:27:24 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2022-03-23 09:37:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0113.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.