Bug 33520 - openssl new security issue CVE-2024-6119
Summary: openssl new security issue CVE-2024-6119
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://openssl-library.org/news/seca...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-05 16:05 CEST by Nicolas Salguero
Modified: 2024-09-10 18:41 CEST (History)
5 users (show)

See Also:
Source RPM: openssl-3.0.14-1.mga9.src.rpm
CVE: CVE-2024-6119
Status comment:


Attachments

Description Nicolas Salguero 2024-09-05 16:05:36 CEST
OpenSSL has issued an advisory on September 3:
https://openssl-library.org/news/secadv/20240903.txt
Nicolas Salguero 2024-09-05 16:06:29 CEST

CVE: (none) => CVE-2024-6119
Status comment: (none) => Fixed upstream in 3.3.2 and 3.0.15
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => openssl-3.3.1-1.mga10.src.rpm, openssl-3.0.14-1.mga9.src.rpm

Comment 1 Marja Van Waes 2024-09-06 21:07:52 CEST
You already pushed the fixed packages to cauldron and 9 updates_testing, thanks :-)

Assigning to you for the Advisory

Version: Cauldron => 9
URL: (none) => https://openssl-library.org/news/secadv/20240903.txt
CC: (none) => marja11
Whiteboard: MGA9TOO => (none)

Comment 2 Marja Van Waes 2024-09-06 21:08:24 CEST
(In reply to Marja Van Waes from comment #1)
> You already pushed the fixed packages to cauldron and 9 updates_testing,
> thanks :-)
> 
> Assigning to you for the Advisory

Now really assigning

Assignee: bugsquad => nicolas.salguero

Comment 3 Nicolas Salguero 2024-09-07 09:26:29 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Possible denial of service in X.509 name checks. (CVE-2024-6119)

References:
https://openssl-library.org/news/secadv/20240903.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.15-1.mga9
lib(64)openssl-devel-3.0.15-1.mga9
lib(64)openssl-static-devel-3.0.15-1.mga9
openssl-3.0.15-1.mga9
openssl-perl-3.0.15-1.mga9

from SRPM:
openssl-3.0.15-1.mga9.src.rpm

Status comment: Fixed upstream in 3.3.2 and 3.0.15 => (none)
Source RPM: openssl-3.3.1-1.mga10.src.rpm, openssl-3.0.14-1.mga9.src.rpm => openssl-3.0.14-1.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

katnatek 2024-09-07 18:32:12 CEST

Keywords: (none) => advisory

Comment 4 PC LX 2024-09-09 00:17:21 CEST
Installed and tested without issues.

Tested:
- apache's mod_ssl;
- dovecot;
- samba;
- certbot;
- curl, wget, aria2c;
- openssl create RSA self-signed certificate;
- openssl s_server and s_client.
All OK.


System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. 



$ uname -a
Linux marte 6.6.43-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jul 27 17:18:39 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep openssl.*3.0.15 | sort
lib64openssl3-3.0.15-1.mga9
lib64openssl-devel-3.0.15-1.mga9
openssl-3.0.15-1.mga9

CC: (none) => mageia

Comment 5 PC LX 2024-09-09 00:21:02 CEST
Installed and tested without issues.

After a day of workstation usage, no regressions or issues found.
All OK.



System: Mageia 9, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.43-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jul 27 17:18:39 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep openssl.*3.0.15 | sort
lib64openssl3-3.0.15-1.mga9
lib64openssl-devel-3.0.15-1.mga9
libopenssl3-3.0.15-1.mga9
openssl-3.0.15-1.mga9
Comment 6 Herman Viaene 2024-09-09 11:53:59 CEST
MGA9-64 server Plasma Wayland on HP-Pavillion
No installation issues.
Testing following the wiki
$ openssl version
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)

$ openssl version -a
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
built on: Fri Sep  6 12:48:59 2024 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282

$ openssl ciphers -v
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
etc......
lists of specific ciphers also OK.
Speed test and connection test, all work OK
After all orhers tested OK,above, goof to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2024-09-10 03:07:48 CEST
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-09-10 18:41:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0291.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.