Description of problem: QuicTLS has issued an advisory on July 14: https://www.openssl.org/news/secadv/20230714.txt The issue will be fixed upstream in 3.0.10. Same as: https://bugs.mageia.org/show_bug.cgi?id=32112 Impacted mga9 & cauldron. Suggested advisory: ======================== The updated packages fix security vulnerabilities: AES-SIV implementation ignores empty associated data entries. (CVE-2023-2975) Excessive time spent checking DH keys and parameters. (CVE-2023-3446) Excessive time spent checking DH q parameter value. (CVE-2023-3817) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817 https://www.openssl.org/news/secadv/20230714.txt https://www.openssl.org/news/secadv/20230719.txt https://www.openssl.org/news/secadv/20230731.txt ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)quictls81.3-3.0.10-1.mga9 lib(64)quictls-devel-3.0.10-1.mga9 lib(64)quictls-static-devel-3.0.10-1.mga9 quictls-3.0.10-1.mga9 quictls-perl-3.0.10-1.mga9 from SRPM: quictls-3.0.10-1.mga9.src.rpm
The library is required by haproxy-quic subpackage.
$ rpm -q quictls lib64quictls81.3 lib64quictls81.3-3.0.10-1.mga9 quictls-3.0.10-1.mga9 $ quictls s_client -connect rapsys.eu:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = rapsys.eu verify return:1 --- [...] --- Server certificate [...] subject=CN = rapsys.eu issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4161 bytes and written 393 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 [...] --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 [...] --- read R BLOCK closed
Thank you for raising this. I discover that you are the active (& registered) packager for this, and that you have already put in Cauldron v3.0.10 ! So assigning to you.
Component: RPM Packages => SecurityAssignee: bugsquad => mageiaCC: (none) => luigiwalserQA Contact: (none) => securityStatus comment: (none) => will be fixed upstream in 3.0.10
CC: luigiwalser => (none)
Reassigning to qa to get the update already done validated. Don't hesitate to comment if I missed something in the procedure.
Assignee: mageia => qa-bugsStatus: NEW => ASSIGNED
Whiteboard: (none) => MGA9TOO
Version: Cauldron => 9Status comment: will be fixed upstream in 3.0.10 => (none)CC: (none) => nicolas.salgueroWhiteboard: MGA9TOO => (none)
Andrew as you validated https://bugs.mageia.org/show_bug.cgi?id=32112 may you please validatte this bug too ?
CC: (none) => andrewsfarm, sysadmin-bugs
MGA9-64 Plasma in an HP Pavilion 15. Installed the above packages, then updated using qarepo with no issues. Giving this an OK based on the clean update over the old packages, and using comment 2 as a test of function. Validating. Advisory in comment 0.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OK
CC: (none) => davidwhodgins
Hi David, May you do the advisory ? It is a mirror of this bug: https://bugs.mageia.org/show_bug.cgi?id=32112 Best regards
CC: (none) => marja11Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0273.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED