OpenSSL has issued an advisory on May 16: https://www.openssl.org/news/secadv/20240516.txt The fix will be included in the next releases when they become available. The fix is also available in commit 53ea0648 (for 3.3), commit da343d06 (for 3.2), commit 9c39b385 (for 3.1) and commit 3559e868 (for 3.0) in the OpenSSL git repository. Mageia 9 is also affected.
Status comment: (none) => Patches available from upstreamSource RPM: (none) => openssl-3.1.5-1.mga10.src.rpmCVE: (none) => CVE-2024-4603Whiteboard: (none) => MGA9TOO
Nicolas, you normally do openssl, so assigning this to you.
Assignee: bugsquad => nicolas.salguero
OpenSSL has issued an advisory on May 28: https://www.openssl.org/news/secadv/20240528.txt The fix will be included in the next releases when they become available. The fix is also available in commit e5093133c3 (for 3.3), commit c88c3de510 (for 3.2), commit 704f725b96 (for 3.1) and commit b3f0eb0a29 (for 3.0) in the OpenSSL git repository. Mageia 9 is also affected.
CVE: CVE-2024-4603 => CVE-2024-4603, CVE-2024-4741Summary: openssl new security issue CVE-2024-4603 => openssl new security issues CVE-2024-4603 and CVE-2024-4741
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Excessive time spent checking DSA keys and parameters. (CVE-2024-4603) Use After Free with SSL_free_buffers. (CVE-2024-4741) References: https://www.openssl.org/news/secadv/20240516.txt https://www.openssl.org/news/secadv/20240528.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl3-3.0.13-1.1.mga9 lib(64)openssl-devel-3.0.13-1.1.mga9 lib(64)openssl-static-devel-3.0.13-1.1.mga9 openssl-3.0.13-1.1.mga9 openssl-perl-3.0.13-1.1.mga9 from SRPM: openssl-3.0.13-1.1.mga9.src.rpm
Status: NEW => ASSIGNEDSource RPM: openssl-3.1.5-1.mga10.src.rpm => openssl-3.0.13-1.mga9.src.rpmVersion: Cauldron => 9Assignee: nicolas.salguero => qa-bugsStatus comment: Patches available from upstream => (none)Whiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing openssl-3.0.13-1.1.mga9.x86_64.rpm lib64openssl3-3.0.13-1.1.mga9.x86_64.rpm lib64openssl-devel-3.0.13-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64openssl3 ################################################################################################## 2/3: openssl ################################################################################################## 3/3: lib64openssl-devel ################################################################################################## 1/3: removing openssl-3.0.13-1.mga9.x86_64 ################################################################################################## 2/3: removing lib64openssl-devel-3.0.13-1.mga9.x86_64 ################################################################################################## 3/3: removing lib64openssl3-3.0.13-1.mga9.x86_64 ################################################################################################## restart sshd and consult status look well Reference bug#33078 comment#5 echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia
RH mageia 9 i586 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date installing libopenssl3-3.0.13-1.1.mga9.i586.rpm openssl-3.0.13-1.1.mga9.i586.rpm libopenssl-devel-3.0.13-1.1.mga9.i586.rpm from //home/katnatek/qa-testing/i586 Preparing... ################################################################ 1/3: libopenssl3 ################################################################ 2/3: libopenssl-devel ################################################################ 3/3: openssl ################################################################ 1/3: removing openssl-3.0.13-1.mga9.i586 ################################################################ 2/3: removing libopenssl-devel-3.0.13-1.mga9.i586 ################################################################ 3/3: removing libopenssl3-3.0.13-1.mga9.i586 ################################################################ restart sshd and consult status look well Reference bug#33078 comment#5 echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc [katnatek@cefiro ~]$ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues Test as above: $ echo -n 'hello mageia' | openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc $ openssl aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia Usual tests $ openssl version -a OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) built on: Thu May 30 08:16:31 2024 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-3" MODULESDIR: "/usr/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282 $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD etc....... $ openssl speed rsa Doing 512 bits private rsa's for 10s: 56525 512 bits private RSA's in 9.99s Doing 512 bits public rsa's for 10s: 827771 512 bits public RSA's in 9.99s Doing 1024 bits private rsa's for 10s: 16552 1024 bits private RSA's in 9.99s Doing 1024 bits public rsa's for 10s: 269013 1024 bits public RSA's in 10.00s Doing 2048 bits private rsa's for 10s: 2203 2048 bits private RSA's in 10.00s Doing 2048 bits public rsa's for 10s: 75924 2048 bits public RSA's in 10.00s Doing 3072 bits private rsa's for 10s: 692 3072 bits private RSA's in 9.99s Doing 3072 bits public rsa's for 10s: 34981 3072 bits public RSA's in 9.99s Doing 4096 bits private rsa's for 10s: 301 4096 bits private RSA's in 10.00s Doing 4096 bits public rsa's for 10s: 19988 4096 bits public RSA's in 10.00s etc... All works OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0200.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED