Bug 33468 - QuicTLS new security issue
Summary: QuicTLS new security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-08-15 03:39 CEST by Raphael Gertz
Modified: 2024-08-19 21:13 CEST (History)
5 users (show)

See Also:
Source RPM: quictls-3.0.12-1.1.mga9.src.rpm
CVE: CVE-2024-5535, CVE-2024-4741, CVE-2024-4603, CVE-2024-251, CVE-2024-0727, CVE-2023-6237, CVE-2023-6129, CVE-2023-5678
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Raphael Gertz 2024-08-15 03:39:19 CEST 
Description of problem:
QuicTLS has issued multiple advisories:
CVE-2024-5535 fixed with cf6f91f6121f4db167405db2f0de410a456f260c patch
CVE-2024-4741 fixed in 3.0.14
CVE-2024-4603 fixed in 3.0.14
CVE-2024-2511 fixed in 3.0.14
CVE-2024-0727 fixed in 3.0.13
CVE-2023-6237 fixed in 3.0.13
CVE-2023-6129 fixed in 3.0.13
CVE-2023-5678 fixed in 3.0.13


The issue is fixed upstream in 3.0.14 + cf6f91f6121f4db167405db2f0de410a456f260c patch
Comment 1 Raphael Gertz 2024-08-15 03:41:32 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerabilities:
CVE-2024-5535
CVE-2024-4741
CVE-2024-4603
CVE-2024-2511
CVE-2024-0727
CVE-2023-6237
CVE-2023-6129
CVE-2023-5678

References:
https://openssl-library.org/news/vulnerabilities-3.0/
========================

Updated packages in core/updates_testing:
========================
lib(64)quictls81.3-3.0.14-1.1.mga9
lib(64)quictls-devel-3.0.14-1.1.mga9
lib(64)quictls-static-devel-3.0.14-1.1.mga9
quictls-3.0.14-1.1.mga9
quictls-perl-3.0.14-1.1.mga9

from SRPM:
quictls-3.0.14-1.1.mga9.src.rpm
Raphael Gertz 2024-08-15 03:41:57 CEST

Keywords: (none) => advisory

Comment 2 Raphael Gertz 2024-08-15 03:48:54 CEST 
Test procedure inherited from bugs #32794 and #32484.

$ cat /etc/mageia-release 
Mageia release 9 (Official) for x86_64

$ rpm -qa | grep quictls
lib64quictls81.3-3.0.14-1.1.mga9
quictls-3.0.14-1.1.mga9
lib64quictls-devel-3.0.14-1.1.mga9

$ echo -n 'hello mageia' | quictls aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc

$ quictls aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'
hello mageia

$ echo -n 'hello mageia' | quictls dgst -sha256
SHA2-256(stdin)= 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c

$ echo -n 'hello mageia' | sha256sum
872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c  -
Raphael Gertz 2024-08-15 03:50:33 CEST

CC: (none) => andrewsfarm, brtians1, mageia
Assignee: bugsquad => qa-bugs

Raphael Gertz 2024-08-15 03:50:58 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 3 Raphael Gertz 2024-08-15 03:52:14 CEST 
Sorry for the delay to release this update, but upstream merge validation was delayed, see:
https://github.com/quictls/openssl/pull/158
Comment 4 Thomas Andrews 2024-08-18 03:29:14 CEST 
Tested in a MGA9-64 VirtualBox Plasma guest. Updated over the existing package, with no installation issues. Tested as in Bug 32248 Comment 2, with consistent results.

Validating, based on my test and the ones from Comment 2.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Dan Fandrich 2024-08-19 20:36:10 CEST 
Switched bug to the Security component.

QA Contact: (none) => security
Component: RPM Packages => Security
CVE: (none) => CVE-2024-5535, CVE-2024-4741, CVE-2024-4603, CVE-2024-251, CVE-2024-0727, CVE-2023-6237, CVE-2023-6129, CVE-2023-5678
CC: (none) => dan

Comment 6 Mageia Robot 2024-08-19 21:13:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0281.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.