OpenSSL has issued an advisory today (May 3): https://www.openssl.org/news/secadv/20220503.txt The issues are fixed upstream in 1.1.1o and 3.0.3. Mageia 8 is also affected by CVE-2022-1292.
Status comment: (none) => Fixed upstream in 1.1.1o and 3.0.3Whiteboard: (none) => MGA8TOO
No evident maintainer, so assigning globally. CC'ing NicolasS who did a similar update not so long ago.
CC: (none) => nicolas.salgueroAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: The c_rehash script allows command injection. (CVE-2022-1292) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292 https://www.openssl.org/news/secadv/20220503.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl1.1-1.1.1o-1.mga8 lib(64)openssl-devel-1.1.1o-1.mga8 lib(64)openssl-static-devel-1.1.1o-1.mga8 openssl-1.1.1o-1.mga8 openssl-perl-1.1.1o-1.mga8 from SRPM: openssl-1.1.1o-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Source RPM: openssl-3.0.2-1.mga9.src.rpm, openssl-1.1.1n-1.mga8.src.rpm => openssl-1.1.1n-1.mga8.src.rpmVersion: Cauldron => 8Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 1.1.1o and 3.0.3 => (none)Assignee: pkg-bugs => qa-bugs
Ubuntu has issued an advisory for this on May 4: https://ubuntu.com/security/notices/USN-5402-1
installed openssl $ openssl version OpenSSL 1.1.1o 3 May 2022 $ openssl enc -aes-128-cbc -in firefox78_12.txt -out fire.enc enter aes-128-cbc encryption password: Verifying - enter aes-128-cbc encryption password: *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. $ ll fire.enc -rw-r--r-- 1 brian live 464 May 5 20:43 fire.enc $ cat fire.enc Salted__�,+=W�$�jV���<9��{�� \���cqϖ��FY� vCJ�R���҂� Dy� ~u�[$f[�~ ��"�Y��0|�f#+����FQ-�i�7�����������M1%f�i꼏e.���y@��+�2�����1N�Jp[��� �1: �E� �7؟��kj��PA�;3�3�t�����#� ����.�Z�G���[���������Z �A�l�g���l��n���W���z}�O��J��F~�N}��c�N����w���u6��w!���t� �ư���=�li��i�*���8W�"j������O�A&�d�vi���~��������g)Q��Z9�d>+ =�9��^;��meu�������&H���Z "���� n�^����N�삭� $ openssl enc -d -aes-128-cbc -in fire.enc -out fire.txt enter aes-128-cbc decryption password: *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. file sizes match $ ll fire.* -rw-r--r-- 1 brian live 464 May 5 20:43 fire.enc -rw-r--r-- 1 brian live 439 May 5 20:44 fire.txt $ ll firefox78_12.txt -rw-r--r-- 1 brian live 439 Jul 14 2021 firefox78_12.txt source and restored file md5's match $ openssl dgst -md5 firefox78_12.txt MD5(firefox78_12.txt)= 33e849ed30b6664813656a4e05264f58 $ openssl dgst -md5 fire.txt MD5(fire.txt)= 33e849ed30b6664813656a4e05264f58 working from my perspective
CC: (none) => brtians1
$ openssl genpkey -out fd.key -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -aes-128-cbc $ openssl req -new -key fd.key -out fd.csr $ openssl req -text -in fd.csr -noout Certificate Request: Data: Version: 1 (0x0) Subject: C = US, ST = Illinois, L = xxx, O = xxx, CN = localhost Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ec:6c:32:28:0a:5d:8e:ea:59:e9:51:d4:e9:32: 3c:23:29:86:2e:10:65:cc:a6:07:9f:5b:14:5a:25: 82:9e:16:88:5b:27:25:2c:e8:ba:4f:9d:92:1f:60: 31:31:75:68:e3:18:cf:e5:5a:6f:8f:ea:cd:3a:16: 2b:c4:f1:4b:ef ASN1 OID: prime256v1 NIST CURVE: P-256 Attributes: a0:00 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:da:bd:56:03:00:ef:a6:5b:38:ed:d0:17:3e: 04:5c:f9:40:38:7a:08:2b:bc:37:a9:24:86:91:7f:70:37:55: 56:02:20:35:09:fd:66:cc:b4:30:ca:71:12:3c:56:ef:84:23: 5c:73:b7:13:0f:ed:77:4b:2d:ac:ca:9e:ea:4d:37:af:66 creating certs work
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Following WIKI: $ openssl version OpenSSL 1.1.1o 3 May 2022 $ openssl version -a OpenSSL 1.1.1o 3 May 2022 built on: Wed May 4 19:59:53 2022 UTC platform: linux-x86_64 options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-1.1" Seeding source: os-specific engines: rdrand dynamic $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 and more...... $ openssl ciphers -v -tls1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD and more..... $ openssl ciphers -v 'HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD and more.... $ openssl ciphers -v 'AES+HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD and more..... other tests from WIKI behave OK. OK'ing in view of other tests by Brian.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Are the fixes for CVE-2022-1343, CVE-2022-1434, and CVE-2022-1473 included?
Keywords: (none) => feedbackCC: (none) => davidwhodgins
Nevermind. Missed that in the description, only the one cve applies to m8.
Keywords: feedback => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0173.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED