OpenSSL has issued an advisory on June 27: https://openssl.org/news/secadv/20240627.txt The fix will be included in the next releases when they become available. The fix is also available in commit e86ac436f0 (for 3.3), commit 99fb785a5f (for 3.2), commit 4ada436a19 (for 3.1) and commit cf6f91f612 (for 3.0) in the OpenSSL git repository. Mageia 9 is also affected.
Status comment: (none) => Patches available from upstreamSource RPM: (none) => openssl-3.1.5-2.mga10.src.rpm, openssl-3.0.13-1.1.mga9.src.rpmCVE: (none) => CVE-2024-5535Whiteboard: (none) => MGA9TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: SSL_select_next_proto buffer overread. (CVE-2024-5535) References: https://openssl.org/news/secadv/20240627.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl3-3.0.14-1.mga9 lib(64)openssl-devel-3.0.14-1.mga9 lib(64)openssl-static-devel-3.0.14-1.mga9 openssl-3.0.14-1.mga9 openssl-perl-3.0.14-1.mga9 from SRPM: openssl-3.0.14-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Status: NEW => ASSIGNEDSource RPM: openssl-3.1.5-2.mga10.src.rpm, openssl-3.0.13-1.1.mga9.src.rpm => openssl-3.0.13-1.1.mga9.src.rpmAssignee: bugsquad => qa-bugsStatus comment: Patches available from upstream => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Following the wiki $ openssl version OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024) $ openssl version -a OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024) built on: Thu Jun 27 14:00:07 2024 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-3" MODULESDIR: "/usr/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282 $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD etc...... $ openssl ciphers -v -tls1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD etc ....... $ openssl speed rsa Doing 512 bits private rsa's for 10s: 56227 512 bits private RSA's in 9.98s Doing 512 bits public rsa's for 10s: 827819 512 bits public RSA's in 10.00s Doing 1024 bits private rsa's for 10s: 16640 1024 bits private RSA's in 10.00s Doing 1024 bits public rsa's for 10s: 269845 1024 bits public RSA's in 10.00s Doing 2048 bits private rsa's for 10s: 2208 2048 bits private RSA's in 10.01s Doing 2048 bits public rsa's for 10s: 76402 2048 bits public RSA's in 9.99s Doing 3072 bits private rsa's for 10s: 691 3072 bits private RSA's in 10.00s etc.... $ openssl s_time -connect mydesktop:443 Collecting connection statistics for 30 seconds 1086 connections in 6.62s; 164.05 connections/user sec, bytes read 0 1086 connections in 31 real seconds, 0 bytes read per connection Now timing with session id reuse. starting 1136 connections in 7.49s; 151.67 connections/user sec, bytes read 0 1136 connections in 31 real seconds, 0 bytes read per connection All looks OK.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0247.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED