33337 – openssl new security issue CVE-2024-5535

Bug 33337 - openssl new security issue CVE-2024-5535

Summary: openssl new security issue CVE-2024-5535

Status:	ASSIGNED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-06-27 15:37 CEST by Nicolas Salguero
Modified:	2024-06-29 20:42 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	openssl-3.0.13-1.1.mga9.src.rpm
CVE:	CVE-2024-5535
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-27 15:37:00 CEST

OpenSSL has issued an advisory on June 27:
https://openssl.org/news/secadv/20240627.txt

The fix will be included in the next releases when they
become available. The fix is also available in commit e86ac436f0 (for 3.3),
commit 99fb785a5f (for 3.2), commit 4ada436a19 (for 3.1) and commit cf6f91f612
(for 3.0) in the OpenSSL git repository.

Mageia 9 is also affected.

Nicolas Salguero 2024-06-27 15:37:59 CEST

Status comment: (none) => Patches available from upstream
Source RPM: (none) => openssl-3.1.5-2.mga10.src.rpm, openssl-3.0.13-1.1.mga9.src.rpm
CVE: (none) => CVE-2024-5535
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-06-27 16:44:54 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

SSL_select_next_proto buffer overread. (CVE-2024-5535)

References:
https://openssl.org/news/secadv/20240627.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.14-1.mga9
lib(64)openssl-devel-3.0.14-1.mga9
lib(64)openssl-static-devel-3.0.14-1.mga9
openssl-3.0.14-1.mga9
openssl-perl-3.0.14-1.mga9

from SRPM:
openssl-3.0.14-1.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: openssl-3.1.5-2.mga10.src.rpm, openssl-3.0.13-1.1.mga9.src.rpm => openssl-3.0.13-1.1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Status comment: Patches available from upstream => (none)

katnatek 2024-06-27 21:56:25 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-06-29 12:00:31 CEST

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Following the wiki

$ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)

$ openssl version -a
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
built on: Thu Jun 27 14:00:07 2024 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282

$ openssl ciphers -v
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
etc......

$ openssl ciphers -v -tls1
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
etc .......

$ openssl speed rsa
Doing 512 bits private rsa's for 10s: 56227 512 bits private RSA's in 9.98s
Doing 512 bits public rsa's for 10s: 827819 512 bits public RSA's in 10.00s
Doing 1024 bits private rsa's for 10s: 16640 1024 bits private RSA's in 10.00s
Doing 1024 bits public rsa's for 10s: 269845 1024 bits public RSA's in 10.00s
Doing 2048 bits private rsa's for 10s: 2208 2048 bits private RSA's in 10.01s
Doing 2048 bits public rsa's for 10s: 76402 2048 bits public RSA's in 9.99s
Doing 3072 bits private rsa's for 10s: 691 3072 bits private RSA's in 10.00s
etc....

$ openssl s_time -connect mydesktop:443
Collecting connection statistics for 30 seconds

1086 connections in 6.62s; 164.05 connections/user sec, bytes read 0
1086 connections in 31 real seconds, 0 bytes read per connection

Now timing with session id reuse.
starting

1136 connections in 7.49s; 151.67 connections/user sec, bytes read 0
1136 connections in 31 real seconds, 0 bytes read per connection

All looks OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2024-06-29 20:42:18 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Note You need to log in before you can comment on or make changes to this bug.