OpenSSL has issued an advisory on April 8: https://openssl.org/news/secadv/20240408.txt The fix will be included in the next releases when they become available (3.1.6 and 3.0.14) and in commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git repository. Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-2511Source RPM: (none) => openssl-3.1.4-3.mga10.src.rpmStatus comment: (none) => Patches available from upstream
"The fix will be included in the next releases when they become available. The fix is also available in commit e9d7083e (for 3.2), commit 7e4d731b (for 3.1) commit b52867a9 (for 3.0) in the OpenSSL git repository" (wherever that is). Leaving this with NicolasS who mostly maintains openSSL. Please re-assign to pkg-bugs if this does not suit you.
Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: Unbounded memory growth with session handling in TLSv1.3. (CVE-2024-2511) References: https://openssl.org/news/secadv/20240408.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl3-3.0.13-1.mga9 lib(64)openssl-devel-3.0.13-1.mga9 lib(64)openssl-static-devel-3.0.13-1.mga9 openssl-3.0.13-1.mga9 openssl-perl-3.0.13-1.mga9 from SRPM: openssl-3.0.13-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9Source RPM: openssl-3.1.4-3.mga10.src.rpm => openssl-3.0.12-1.1.mga9.src.rpmAssignee: nicolas.salguero => qa-bugsStatus comment: Patches available from upstream => (none)
CC: (none) => mageia
Keywords: (none) => advisory
Installed and tested without issues. Tested using: - apache plus apache-mod_ssl as HTTP server; - firefox, chromium, curl, wget as HTTP clients; - sslscan and https://www.ssllabs.com/ssltest/ as clients; - dovecot IMAP server; - trojita, kmail, roundcubemail as IMAP client; - sshd as server; - ssh as client; - openssl CLI to create keys and certificates; - openssl CLI to inspect existing keys and certificates; - openssl speed. - certbot. Tested for one day. No issues noticed. System server: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. System client: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics. #### Server side #### $ uname -a Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep openssl.*3.0.13 lib64openssl3-3.0.13-1.mga9 lib64openssl-devel-3.0.13-1.mga9 openssl-3.0.13-1.mga9 #### Client side #### $ uname -a Linux jupiter 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep openssl.*3.0.13 lib64openssl3-3.0.13-1.mga9 openssl-3.0.13-1.mga9 lib64openssl-devel-3.0.13-1.mga9 libopenssl3-3.0.13-1.mga9
MGA9-64, Gnome The following 3 packages are going to be installed: - lib64openssl-devel-3.0.13-1.mga9.x86_64 - lib64openssl3-3.0.13-1.mga9.x86_64 - openssl-3.0.13-1.mga9.x86_64 $ openssl version OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) $ echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc $ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia ---- basic encryption working for me with an iv
CC: (none) => brtians1
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Picked cipher list and speed test from the wiki after other tests have already been done above. All works OK.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Lots of tests. Good! Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0129.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED