As reported upstream https://www.openssl.org/news/secadv/20230530.txt Fixed in version 3.0.9.
Thanks for the report, Stig. Are you able to say whether this applies also to Mageia 8 ? If so, plese add MGA8TOO to the Whiteboard. DavidW will know. Assigning this to ns80 who currently maintains OpenSSL.
Status comment: (none) => Fixed in version 3.0.9CC: (none) => luigiwalserAssignee: bugsquad => nicolas.salgueroSource RPM: (none) => openssl-3.0.8-3.mga9.src.rpm
Whiteboard: (none) => MGA8TOOStatus comment: Fixed in version 3.0.9 => Fixed upstream in 1.1.1u and 3.0.9
Suggested advisory: ======================== The updated packages fix a security vulnerability: Possible DoS translating ASN.1 object identifiers. (CVE-2023-2650) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650 https://www.openssl.org/news/secadv/20230530.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl1.1-1.1.1u-1.mga8 lib(64)openssl-devel-1.1.1u-1.mga8 lib(64)openssl-static-devel-1.1.1u-1.mga8 openssl-1.1.1u-1.mga8 openssl-perl-1.1.1u-1.mga8 from SRPM: openssl-1.1.1u-1.mga8.src.rpm
Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA8TOO => (none)Source RPM: openssl-3.0.8-3.mga9.src.rpm => openssl-1.1.1t-1.mga8.src.rpmStatus comment: Fixed upstream in 1.1.1u and 3.0.9 => (none)CVE: (none) => CVE-2023-2650Version: Cauldron => 8Status: NEW => ASSIGNEDCC: (none) => nicolas.salguero
MGA8-64 MATE on Acer Aspire 5253 No installation issues (omitting lib(64)openssl-static-devel-1.1.1u-1.mga8). Following the wiki and bugs 30619 and 31526: $ openssl version OpenSSL 1.1.1u 30 May 2023 $ openssl version -a OpenSSL 1.1.1u 30 May 2023 built on: Thu Jun 1 08:33:10 2023 UTC platform: linux-x86_64 options: bn(64,64) md2(char) rc4(8x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-1.1" Seeding source: os-specific engines: dynamic $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD and a load more....... $ openssl ciphers -v -tls1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD etc........ $ openssl ciphers -v -tls1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD etc..... $ openssl ciphers -v 'AES+HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD etc..... $ openssl speed Doing md2 for 3s on 16 size blocks: 197891 md2's in 3.00s Doing md2 for 3s on 64 size blocks: 102630 md2's in 2.99s Doing md2 for 3s on 256 size blocks: 35049 md2's in 3.00s Doing md2 for 3s on 1024 size blocks: 9638 md2's in 3.00s Doing md2 for 3s on 8192 size blocks: 1241 md2's in 3.00s Doing md2 for 3s on 16384 size blocks: 622 md2's in 3.00s Doing md4 for 3s on 16 size blocks: 2248881 md4's in 2.99s Doing md4 for 3s on 64 size blocks: 1870937 md4's in 3.00s Doing md4 for 3s on 256 size blocks: 1328108 md4's in 2.99s Doing md4 for 3s on 1024 size blocks: 621274 md4's in 3.00s Doing md4 for 3s on 8192 size blocks: 102953 md4's in 2.99s Doing md4 for 3s on 16384 size blocks: 52771 md4's in 3.00s and more ..... $ openssl speed rsa ........snip sign verify sign/s verify/s rsa 512 bits 0.000360s 0.000027s 2778.2 37149.2 rsa 1024 bits 0.001099s 0.000066s 910.0 15116.0 rsa 2048 bits 0.007586s 0.000209s 131.8 4780.1 rsa 3072 bits 0.022653s 0.000436s 44.1 2295.5 rsa 4096 bits 0.050914s 0.000750s 19.6 1333.8 rsa 7680 bits 0.375926s 0.002511s 2.7 398.3 rsa 15360 bits 2.348000s 0.009751s 0.4 102.6 openssl s_time -connect <desktop>:443 Collecting connection statistics for 30 seconds ***** 2108 connections in 8.87s; 237.66 connections/user sec, bytes read 0 2108 connections in 31 real seconds, 0 bytes read per connection Now timing with session id reuse. starting ***** 2166 connections in 8.60s; 251.86 connections/user sec, bytes read 0 2166 connections in 31 real seconds, 0 bytes read per connection $ openssl s_client -connect mageia.org:443 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 verify return:1 depth=0 CN = *.mageia.org verify return:1 --- Certificate chain 0 s:CN = *.mageia.org i:C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 1 s:C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGMDCCBRigAwIBAgIQUaOqUlfepsm3ibNK6Yq6wzANBgkqhkiG9w0BAQsFADBf MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w ....... All looks OK to me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0195.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED