OpenSSL has issued an advisory on July 14: https://www.openssl.org/news/secadv/20230714.txt The issue will be fixed upstream in 3.0.10.
ns80 currently nurses openssl, so assigning to you.
Assignee: bugsquad => nicolas.salgueroStatus comment: (none) => fixed upstream in 3.0.10
OpenSSL has issued other advisories on July 19: https://www.openssl.org/news/secadv/20230719.txt and July 31: https://www.openssl.org/news/secadv/20230731.txt Versions 3.0.10 and 1.1.1v were released on August 01.
Summary: openssl new security issue CVE-2023-2975 => openssl new security issues CVE-2023-2975, CVE-2023-3446 and CVE-2023-3817
Suggested advisory: ======================== The updated packages fix security vulnerabilities: AES-SIV implementation ignores empty associated data entries. (CVE-2023-2975) Excessive time spent checking DH keys and parameters. (CVE-2023-3446) Excessive time spent checking DH q parameter value. (CVE-2023-3817) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817 https://www.openssl.org/news/secadv/20230714.txt https://www.openssl.org/news/secadv/20230719.txt https://www.openssl.org/news/secadv/20230731.txt ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)openssl1.1-1.1.1v-1.mga8 lib(64)openssl-devel-1.1.1v-1.mga8 lib(64)openssl-static-devel-1.1.1v-1.mga8 openssl-1.1.1v-1.mga8 openssl-perl-1.1.1v-1.mga8 from SRPM: openssl-1.1.1v-1.mga8.src.rpm Updated packages in 9/core/updates_testing: ======================== lib(64)openssl3-3.0.10-1.mga9 lib(64)openssl-devel-3.0.10-1.mga9 lib(64)openssl-static-devel-3.0.10-1.mga9 openssl-3.0.10-1.mga9 openssl-perl-3.0.10-1.mga9 from SRPM: openssl-3.0.10-1.mga9.src.rpm
Status comment: fixed upstream in 3.0.10 => (none)Whiteboard: (none) => MGA8TOOVersion: Cauldron => 9CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
CC: (none) => mageia
mga9-64, Xfce $ uname -a Linux localhost 6.4.12-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Mon Aug 28 09:15:37 UTC 2023 x86_64 GNU/Linux The following 2 packages are going to be installed: - lib64openssl3-3.0.10-1.mga9.x86_64 - openssl-3.0.10-1.mga9.x86_64 $ openssl ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:RSA-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:RSA-PSK-AES256-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA $ openssl version OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023) from a base level it appears to be working
CC: (none) => brtians1
MGA8-64, Plasma The following 3 packages are going to be installed: - lib64openssl-devel-1.1.1v-1.mga8.x86_64 - lib64openssl1.1-1.1.1v-1.mga8.x86_64 - openssl-1.1.1v-1.mga8.x86_64 $ openssl version OpenSSL 1.1.1v 1 Aug 2023 $ openssl ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:RSA-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:RSA-PSK-AES256-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA $ openssl s_client -connect mageia.org:443 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 verify return:1 depth=0 CN = *.mageia.org verify return:1 --- blah blah blah ... SSL handshake has read 3670 bytes and written 384 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) AES-SIV cipher is beyond simple testing and would need some C code. Not up to that at this moment.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK
Validating. Advisory in commet 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0253.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED