OpenSSL has issued an advisory on November 6: https://www.openssl.org/news/secadv/20231106.txt The next OpenSSL version will contain the fix. The fix is also available in commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 (for 3.1) and commit db925ae2e65d0d925adef429afc37f75bd1c2017 (for 3.0).
Whiteboard: (none) => MGA9TOOCC: (none) => nicolas.salgueroSource RPM: (none) => openssl-3.0.12-1.mga9.src.rpm
Assigning to the base system maintainers Changing current version in source rpm field, because: [marja@localhost ~]$ rpm -qa lib64openssl3 lib64openssl3-3.1.4-1.mga10
Assignee: bugsquad => basesystemSource RPM: openssl-3.0.12-1.mga9.src.rpm => openssl-3.1.4-1.mga10CC: (none) => marja11
Since the update, I see in the journal: postfix/smtps/smtpd[73070]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.1.0 may not be compatible with OpenSSL 3.0.0 and sometimes: postfix/smtps/smtpd[73070]: warning: TLS library problem: error:0A00010B:SSL routines::wrong version number:ssl/record/ssl3_record.c:354: Should postfix be rebuilt ?
CC: (none) => guillaume.bedot
OpenSSL has issued an advisory on January 15: https://www.openssl.org/news/secadv/20240115.txt The next OpenSSL version will contain the fix. The fix is also available in commit a830f551 (for 3.1) and commit 18c02492 (for 3.0).
Summary: openssl new security issue CVE-2023-5678 => openssl new security issues CVE-2023-5678 and CVE-2023-6237CVE: (none) => CVE-2023-5678, CVE-2023-6237
OpenSSL has issued an advisory on January 25: https://www.openssl.org/news/secadv/20240125.txt The next OpenSSL version will contain the fix. The fix is also available in commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c (for 3.1) and commit 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 (for 3.0).
CVE: CVE-2023-5678, CVE-2023-6237 => CVE-2023-5678, CVE-2023-6237, CVE-2024-0727Summary: openssl new security issues CVE-2023-5678 and CVE-2023-6237 => openssl new security issues CVE-2023-5678, CVE-2023-6237 and CVE-2024-0727
OpenSSL has issued an advisory on January 9: https://www.openssl.org/news/secadv/20240109.txt The next OpenSSL version will contain the fix. The fix is also available in commit f3fc5808 (for 3.1) and commit 050d263 (for 3.0).
Summary: openssl new security issues CVE-2023-5678, CVE-2023-6237 and CVE-2024-0727 => openssl new security issues CVE-2023-5678, CVE-2023-6129, CVE-2023-6237 and CVE-2024-0727CVE: CVE-2023-5678, CVE-2023-6237, CVE-2024-0727 => CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Excessive time spent in DH check / generation with large Q parameter value. (CVE-2023-5678) POLY1305 MAC implementation corrupts vector registers on PowerPC. (CVE-2023-6129) Excessive time spent checking invalid RSA public keys. (CVE-2023-6237) PKCS12 Decoding crashes. (CVE-2024-0727) References: https://www.openssl.org/news/secadv/20231106.txt https://www.openssl.org/news/secadv/20240109.txt https://www.openssl.org/news/secadv/20240115.txt https://www.openssl.org/news/secadv/20240125.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl3-3.0.12-1.1.mga9 lib(64)openssl-devel-3.0.12-1.1.mga9 lib(64)openssl-static-devel-3.0.12-1.1.mga9 openssl-3.0.12-1.1.mga9 openssl-perl-3.0.12-1.1.mga9 from SRPM: openssl-3.0.12-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Source RPM: openssl-3.1.4-1.mga10 => openssl-3.0.12-1.mga9.src.rpmStatus: NEW => ASSIGNEDVersion: Cauldron => 9Assignee: basesystem => qa-bugs
URL: (none) => https://www.openssl.org/news/secadv/20231106.txt https://www.openssl.org/news/secadv/20240109.txt https://www.openssl.org/news/secadv/20240115.txt https://www.openssl.org/news/secadv/20240125.txt
Keywords: (none) => advisory
CC: (none) => mageia
Blocks: (none) => 32794
Installed and tested without issues. Tested using: - apache plus apache-mod_ssl as server; - sslscan and https://www.ssllabs.com/ssltest/ as clients; - sshd as server; - ssh as client; - openssl CLI to create keys and certificates; - openssl CLI to inspect existing keys and certificates; - openssl speed. - certbot. No issues noticed. System server: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. System client: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics. #### Server side #### $ uname -a Linux marte 6.6.14-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jan 27 01:13:53 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep openssl.*3.0.12 lib64openssl3-3.0.12-1.1.mga9 lib64openssl-devel-3.0.12-1.1.mga9 openssl-3.0.12-1.1.mga9 #### Client side #### $ uname -a Linux jupiter 6.6.14-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jan 27 01:13:53 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep openssl.*3.0.12 | sort lib64openssl3-3.0.12-1.1.mga9 lib64openssl-devel-3.0.12-1.1.mga9 libopenssl3-3.0.12-1.1.mga9 openssl-3.0.12-1.1.mga9
When selecting the static-devel I get: The following package has to be removed for others to be upgraded: lib64nss-static-devel-3.97.0-1.mga9.x86_64 (due to conflicts with libopenssl-static-devel) Continuing without the openssl-static-devel
CC: (none) => herman.viaene
MGA9-64 Plasma Wayland on HP Pavillion No further installation issues Following the wiki $ openssl version OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023) $ openssl version -a OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023) built on: Tue Jan 30 09:14:41 2024 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-3" MODULESDIR: "/usr/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282 $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD etc....... HA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD etc.... $ openssl ciphers -v 'HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ..... $ openssl ciphers -v 'AES+HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ...... Continuing later on
$ openssl speed Doing md5 for 3s on 16 size blocks: 4921863 md5's in 2.99s Doing md5 for 3s on 64 size blocks: 3798258 md5's in 3.00s Doing md5 for 3s on 256 size blocks: 2375907 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 945750 md5's in 3.00s Doing md5 for 3s on 8192 size blocks: 143241 md5's in 3.00s Doing md5 for 3s on 16384 size blocks: 72213 md5's in 2.98s and a lot more, seems to work OK $ openssl speed Doing md5 for 3s on 16 size blocks: 4948902 md5's in 2.99s Doing md5 for 3s on 64 size blocks: 3804689 md5's in 3.00s Doing md5 for 3s on 256 size blocks: 2380392 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 946997 md5's in 3.00s Doing md5 for 3s on 8192 size blocks: 143321 md5's in 3.00s Doing md5 for 3s on 16384 size blocks: 72726 md5's in 3.00s etc ...... From bug 32112 $ openssl s_client -connect mageia.org:443 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2 verify return:1 depth=0 CN = *.mageia.org verify return:1 --- Certificate chain etc.... and SSL handshake has read 3670 bytes and written 394 bytes Verification: OK --- and more.... AFAICS and regarding tests from PC LX, good to go.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0020.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED