QuicTLS has issued an advisory on October 24: https://www.openssl.org/news/secadv/20231024.txt The issue is fixed upstream in 3.0.12.
Suggested advisory: ======================== The updated packages fix a security vulnerability: Incorrect cipher key & IV length processing. (CVE-2023-5363) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363 https://www.openssl.org/news/secadv/20231024.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)quictls81.3-3.0.12-1.mga9 lib(64)quictls-devel-3.0.12-1.mga9 lib(64)quictls-static-devel-3.0.12-1.mga9 quictls-3.0.12-1.mga9 quictls-perl-3.0.12-1.mga9 from SRPM: quictls-3.0.12-1.mga9.src.rpm
Keywords: (none) => advisory
Status: NEW => ASSIGNEDCC: (none) => marja11QA Contact: (none) => security
CC: (none) => nicolas.salguero
Depends on: (none) => 32452
Assigning to you.
Assignee: bugsquad => mageia
Assigning to QA, because quictls-3.0.12-1.mga9 landed in 9 core/updates_testing early this morning. @ Raphael Thanks for all your work! Do you mind propediting : r15207 | rapsys | 2023-11-03 01:22:50 +0100 (vr, 03 nov 2023) | 1 line Add security advisory M9 openssl mga#32484 It only needs "openssl" to be changed into "quictls". (BTW, sorry for accidentally having overwritten your 32089.adv when I added another advisory last night. I have re-added 32089.adv with the correct message this morning)
CC: (none) => mageiaAssignee: mageia => qa-bugs
(In reply to Marja Van Waes from comment #3) > @ Raphael > > Do you mind propediting : > > r15207 | rapsys | 2023-11-03 01:22:50 +0100 (vr, 03 nov 2023) | 1 line > > Add security advisory M9 openssl mga#32484 > > It only needs "openssl" to be changed into "quictls". > > (BTW, sorry for accidentally having overwritten your 32089.adv when I added > another advisory last night. I have re-added 32089.adv with the correct > message this morning) I re-added the file with the proper commit message.
CC: (none) => brtians1
CC: (none) => andrewsfarm
May you validate this update as well please ?
$ cat /etc/mageia-release Mageia release 9 (Official) for x86_64 $ rpm -qa | grep quictls lib64quictls81.3-3.0.12-1.mga9 lib64quictls-devel-3.0.12-1.mga9 quictls-3.0.12-1.mga9 $ echo -n 'hello mageia' | quictls aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc $ quictls aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia
$ echo -n 'hello mageia' | quictls dgst -sha256 SHA2-256(stdin)= 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c $ echo -n 'hello mageia' | sha256sum 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c -
Following procedure from previous update bug 32248: MGA9-64 Plasma in an HP Pavilion 15. Installed the above packages, then updated using qarepo with no issues. Giving this an OK based on the clean update over the old packages, and using comment 6 and comment 7 as a test of function. Validating.
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0317.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED