QuicTLS has issued an advisory on November 6: https://www.openssl.org/news/secadv/20231106.txt The next QuicTLS version will contain the fix. The fix is also available in commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 (for 3.1) and commit db925ae2e65d0d925adef429afc37f75bd1c2017 (for 3.0).
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Excessive time spent in DH check / generation with large Q parameter value. (CVE-2023-5678) POLY1305 MAC implementation corrupts vector registers on PowerPC. (CVE-2023-6129) Excessive time spent checking invalid RSA public keys. (CVE-2023-6237) PKCS12 Decoding crashes. (CVE-2024-0727) References: https://www.openssl.org/news/secadv/20231106.txt https://www.openssl.org/news/secadv/20240109.txt https://www.openssl.org/news/secadv/20240115.txt https://www.openssl.org/news/secadv/20240125.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)quictls81.3-3.0.12-1.1.mga9 lib(64)quictls-devel--3.0.12-1.1.mga9 lib(64)quictls-static-devel-3.0.12-1.1.mga9 quictls-3.0.12-1.1.mga9 quictls-perl-3.0.12-1.1.mga9 from SRPM: quictls-3.0.12-1.1.mga9.src.rpm
Keywords: (none) => advisoryDepends on: (none) => 32498
Status: NEW => ASSIGNEDQA Contact: (none) => securityAssignee: bugsquad => qa-bugsCC: (none) => mageia
Component: RPM Packages => SecurityCC: (none) => marja11
Mageia9, x86_64 Installed the core packages then updated them from updates-testing. Referred to bug 29234 for testing. Reproducers for the vulnerabilities not available. Installed godot and ran it under strace. Brought up the blender-style scene creation gui, backed out, then created a dummy project, and downloaded some files from assetlib. Closed down. $ grep mbedtls godot.trace openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.14", O_RDONLY|O_CLOEXEC) = 3 $ grep crypto godot.trace openat(AT_FDCWD, "/usr/lib64/libmbedcrypto.so.7", O_RDONLY|O_CLOEXEC) = 3 $ grep x509 godot.trace openat(AT_FDCWD, "/usr/lib64/libmbedx509.so.1", O_RDONLY|O_CLOEXEC) = 3 As far as this goes the game engine functions and opens the libraries. Giving this an OK for 64-bits. Advisory to follow.
CC: (none) => tarazed25
In reply to comment 2; Note that the gui IS blender, not blender-style.
Concerning comments 2 and 3 - wrong bug! We need another button to invalidate such comments.
CC: (none) => andrewsfarm
(In reply to Len Lawrence from comment #4) > Concerning comments 2 and 3 - wrong bug! > We need another button to invalidate such comments. Left click on the tag option for each of the comments and type in the word obsolete, as I've now down for comments 2 and 3.
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #5) > (In reply to Len Lawrence from comment #4) > > Concerning comments 2 and 3 - wrong bug! > > We need another button to invalidate such comments. > > Left click on the tag option for each of the comments and type in the word > obsolete, as I've now down for comments 2 and 3. I tried that earlier, but it didn't work for me. Maybe I don't have the power to obsolete the comments of others.
Typo in the package list: Qarepo objected to "lib(64)quictls-devel--3.0.12-1.1.mga9" It should be "lib(64)quictls-devel-3.0.12-1.1.mga9"
MGA9-64 Plasma in VirtualBox: No installation issues. referred to bug 32248 comment 2 for testing guidance: [tom@localhost ~]$ rpm -q quictls lib64quictls81.3 quictls-3.0.12-1.1.mga9 lib64quictls81.3-3.0.12-1.1.mga9 [tom@localhost ~]$ quictls s_client -connect rapsys.eu:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = rapsys.eu verify return:1 --- Certificate chain 0 s:CN = rapsys.eu i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 29 00:26:34 2023 GMT; NotAfter: Mar 28 00:26:33 2024 GMT 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT --- Server certificate -----BEGIN CERTIFICATE----- --- subject=CN = rapsys.eu issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5528 bytes and written 377 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 002AA403F69E7661550CF75DC03AACDCE57CC02F0326EA9FC84A7CF017FEFAE5 Session-ID-ctx: Resumption PSK: AB98F394E63B6C200CD3F2E62B6661F87F0868DF2FC3F2140E56C97CA7F34A20 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - f1 43 0c 8c 97 75 de 57-8f 9b 97 46 21 3e 42 d9 .C...u.W...F!>B. 0010 - 2f d3 6c c6 4a 0d b2 d7-7a d7 d0 6f 0e a6 c5 88 /.l.J...z..o.... Start Time: 1707947830 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 24A27DCEB65164AEEFF5E6C7986798A29652B198DE26CD0A4FCC6C0AE01B2CC0 Session-ID-ctx: Resumption PSK: F33FDD0C711E4DAACFF020914D31B15E709AC4EBA348F0C1926C2D40A7EDF883 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 8c 38 e0 75 de 85 89 2d-af ba a5 9a ca 79 15 0a .8.u...-.....y.. 0010 - 7e 9d ff cd d7 3b 31 74-ae 74 a5 e3 51 e2 89 ed ~....;1t.t..Q... Start Time: 1707947830 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK HTTP/1.1 408 Request Time-out Content-length: 110 Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>408 Request Time-out</h1> Your browser didn't send a complete request in time. </body></html> closed Looks in line with the results of the previous bug. Giving this an OK.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
(In reply to Thomas Andrews from comment #6) > (In reply to Dave Hodgins from comment #5) > > (In reply to Len Lawrence from comment #4) > > > Concerning comments 2 and 3 - wrong bug! > > > We need another button to invalidate such comments. > > > > Left click on the tag option for each of the comments and type in the word > > obsolete, as I've now down for comments 2 and 3. > > I tried that earlier, but it didn't work for me. Maybe I don't have the > power to obsolete the comments of others. I've added bugsquad, editkeywords, editusers permissions for you at https://bugs.mageia.org/editusers.cgi?action=list&matchvalue=login_name&matchstr=&matchtype=substr&groupid=9&is_enabled=1 which should also now allow you to disable accounts for spammers if you encounter bug comments from them, as well as being able to obsolete any comment. Please test by obsoleting all comments in this bug that are not about quictls. I'm not sure if you just have to reload the page or logout/in to bugzilla for the changes to take effect, or if nothing needs to be done. Let's continue any further discussion of this by email.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0036.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED