Bug 32248 - quictls new security issues CVE-2023-2975, CVE-2023-3446 and CVE-2023-3817
Summary: quictls new security issues CVE-2023-2975, CVE-2023-3446 and CVE-2023-3817
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-05 19:20 CEST by Raphael Gertz
Modified: 2023-09-30 21:18 CEST (History)
5 users (show)

See Also:
Source RPM: quictls-3.0.9-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Raphael Gertz 2023-09-05 19:20:54 CEST
Description of problem:

QuicTLS has issued an advisory on July 14:
https://www.openssl.org/news/secadv/20230714.txt

The issue will be fixed upstream in 3.0.10.

Same as:
https://bugs.mageia.org/show_bug.cgi?id=32112

Impacted mga9 & cauldron.

Suggested advisory:
========================
The updated packages fix security vulnerabilities:

AES-SIV implementation ignores empty associated data entries. (CVE-2023-2975)

Excessive time spent checking DH keys and parameters. (CVE-2023-3446)

Excessive time spent checking DH q parameter value. (CVE-2023-3817)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817
https://www.openssl.org/news/secadv/20230714.txt
https://www.openssl.org/news/secadv/20230719.txt
https://www.openssl.org/news/secadv/20230731.txt
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)quictls81.3-3.0.10-1.mga9
lib(64)quictls-devel-3.0.10-1.mga9
lib(64)quictls-static-devel-3.0.10-1.mga9
quictls-3.0.10-1.mga9
quictls-perl-3.0.10-1.mga9

from SRPM:
quictls-3.0.10-1.mga9.src.rpm
Comment 1 Raphael Gertz 2023-09-05 19:21:41 CEST
The library is required by haproxy-quic subpackage.
Comment 2 Raphael Gertz 2023-09-05 19:29:26 CEST
$ rpm -q quictls lib64quictls81.3
lib64quictls81.3-3.0.10-1.mga9
quictls-3.0.10-1.mga9

$ quictls  s_client -connect rapsys.eu:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = rapsys.eu
verify return:1
---
[...]
---
Server certificate
[...]
subject=CN = rapsys.eu
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4161 bytes and written 393 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
[...]
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
[...]
---
read R BLOCK
closed
Comment 3 Lewis Smith 2023-09-05 20:32:45 CEST
Thank you for raising this.

I discover that you are the active (& registered) packager for this, and that you have already put in Cauldron v3.0.10 ! So assigning to you.

Component: RPM Packages => Security
Assignee: bugsquad => mageia
CC: (none) => luigiwalser
QA Contact: (none) => security
Status comment: (none) => will be fixed upstream in 3.0.10

David Walser 2023-09-05 21:00:17 CEST

CC: luigiwalser => (none)

Comment 4 Raphael Gertz 2023-09-06 06:35:26 CEST
Reassigning to qa to get the update already done validated.

Don't hesitate to comment if I missed something in the procedure.

Assignee: mageia => qa-bugs
Status: NEW => ASSIGNED

Raphael Gertz 2023-09-06 06:36:17 CEST

Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2023-09-06 11:00:11 CEST

Version: Cauldron => 9
Status comment: will be fixed upstream in 3.0.10 => (none)
CC: (none) => nicolas.salguero
Whiteboard: MGA9TOO => (none)

Comment 5 Raphael Gertz 2023-09-22 02:42:52 CEST
Andrew as you validated https://bugs.mageia.org/show_bug.cgi?id=32112 may you please validatte this bug too ?

CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Thomas Andrews 2023-09-22 14:05:38 CEST
MGA9-64 Plasma in an HP Pavilion 15. 

Installed the above packages, then updated using qarepo with no issues.

Giving this an OK based on the clean update over the old packages, and using comment 2 as a test of function.

Validating. Advisory in comment 0.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Raphael Gertz 2023-09-25 07:17:12 CEST

CC: (none) => davidwhodgins

Comment 7 Raphael Gertz 2023-09-25 07:18:48 CEST
Hi David,

May you do the advisory ?

It is a mirror of this bug:
https://bugs.mageia.org/show_bug.cgi?id=32112

Best regards
Marja Van Waes 2023-09-30 15:09:14 CEST

CC: (none) => marja11
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-09-30 21:18:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0273.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.