Description of problem: QuicTLS has issued advisory CVE-2024-5535 fixed in 3.0.15. It was fixed with patch cf6f91f6121f4db167405db2f0de410a456f260c. The issue is fixed upstream in 3.0.15.
Suggested advisory: ======================== The updated packages fix a security vulnerabilities: CVE-2024-5535 References: https://openssl-library.org/news/vulnerabilities-3.0/ ======================== Updated packages in core/updates_testing: ======================== lib(64)quictls81.3-3.0.15-1.mga9 lib(64)quictls-devel-3.0.15-1.mga9 lib(64)quictls-static-devel-3.0.15-1.mga9 quictls-3.0.15-1.mga9 quictls-perl-3.0.15-1.mga9 from SRPM: quictls-3.0.15-1.mga9.src.rpm
Test procedure inherited from bugs #32794, #32484 and #33468. $ cat /etc/mageia-release Mageia release 9 (Official) for x86_64 $ rpm -qa | grep quictls lib64quictls81.3-3.0.15-1.mga9 quictls-3.0.15-1.mga9 lib64quictls-devel-3.0.15-1.mga9 $ echo -n 'hello mageia' | quictls aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > mageia.enc $ quictls aes-256-cbc -d -in mageia.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' hello mageia $ echo -n 'hello mageia' | quictls dgst -sha256 SHA2-256(stdin)= 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c $ echo -n 'hello mageia' | sha256sum 872f4c6f4fa44aab16bb985dc4b7790f541695db34787f61f58df0f32598a93c -
Keywords: (none) => advisory
Sorry for the delay to release this update, but upstream validation was delayed and a tag typo prevented tarball release, see: https://github.com/quictls/openssl/pull/171
Whiteboard: (none) => MGA9-64-OKAssignee: bugsquad => qa-bugsCC: (none) => andrewsfarm, brtians1, mageia
RH x86_64 Following Thomas test bug#2794 comment#8 quictls s_client -connect rapsys.eu:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R10 verify return:1 depth=0 CN = rapsys.eu verify return:1 --- Certificate chain 0 s:CN = rapsys.eu i:C = US, O = Let's Encrypt, CN = R10 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 30 01:04:33 2024 GMT; NotAfter: Nov 28 01:04:32 2024 GMT 1 s:C = US, O = Let's Encrypt, CN = R10 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIH8DCCBtigAwIBAgISAw7m+Ht+L/guRw8QJjPpDo8sMA0GCSqGSIb3DQEBCwUA MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD EwNSMTAwHhcNMjQwODMwMDEwNDMzWhcNMjQxMTI4MDEwNDMyWjAUMRIwEAYDVQQD EwlyYXBzeXMuZXUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7lgVH sPRR2muIa6cflsnzaJWEh+R6FodQGuKoekmDiTaFX42mtHyPpudmz3E8NvTfnKOs lmesH4zh1ViorTPvUcbZoXbJ3y/+4WmMnx+/UlGfntnMQOkaf49/0YNKEtczvpEy 1vispNsWgbszqXoSUGuHkdAWnJp68gCTTuPx2LknFQ3aGUQdIRcwQ+qfXSKV1fuH cDrwiv6553eNc/Z9f2i09+HW5zt+xYEPI7UdSNt7fdqlTql67IQ864kluYSkHrzS jw9JRnCsIcm+Lq3xay8sqMSbQCPzyDe7dP9xNdKHNqi83CTyQFAVj2/tDYcsmOL3 NeKsWsi9qkEfjgG/019WS50w4BdjGNtgkVX4eHGh31d83tHFaz7KSIuOjGpsp0oH QxTgFwLEyVEgnwdepI6qvgkVsmpX4YadbL7i8Ffi7qKxMNgGxxfn5B1UtR5NyxuI YeJwXLdac4Zkm6+fcDTp37AVwz3dwTu4NaQtWFQl+Kgk2EzhjoBs5GV4CeC8i4PL 1DHxAlxxxHKC4MnQBGJVAeCYA3OAIAeTGtBCemI34hYC0i+VYZ+ohIkEANcNBwri wFOE0G6lACr2lnxxaqiZ/Aib0mHyQrxkh/Etogr9XNCv7OjM7BnJ43JgX/jl4UHz MrV5D2LsRr+waSQXssPwOpK4KmDAYkGJ9dtDhQIDAQABo4IEGzCCBBcwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB Af8EAjAAMB0GA1UdDgQWBBSvvXyv+QIUNc4h7AWJGbg1d5ahljAfBgNVHSMEGDAW gBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUH MAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9y MTAuaS5sZW5jci5vcmcvMIICIAYDVR0RBIICFzCCAhOCC2FpcmxpYnJlLmV1ghJh aXJsaWJyZS5yYXBzeXMuZXWCCmFvaWhpbWUuZXWCDWFwaS5yYXBzeXMuZXWCEGF1 cmFlLmFvaWhpbWUuZXWCFWF1dG9jb25maWcuYW9paGltZS5ldYIUYXV0b2NvbmZp Zy5yYXBzeXMuZXWCFGF1dG9jb25maWcucmFwc3lzLmZygg5ibG9nLnJhcHN5cy5l dYINY2RuLnJhcHN5cy5ldYIUY29uZmVyZW5jZS5yYXBzeXMuZXWCDWRldi5yYXBz eXMuZXWCDWRvYy5yYXBzeXMuZXWCDmZsZXgucmFwc3lzLmV1gg9mb2N1cy5yYXBz eXMuZXWCDWZ0cC5yYXBzeXMuZXWCCGdlcnR6LmZygg1naXQucmFwc3lzLmV1gg5p bWFwLnJhcHN5cy5ldYIObWFpbC5yYXBzeXMuZXWCDm1lZXQucmFwc3lzLmV1gg9w aG90by5yYXBzeXMuZXWCCXJhcHN5cy5ldYIJcmFwc3lzLmZygg5zbXRwLnJhcHN5 cy5ldYIPdGFuZ28ucmFwc3lzLmV1gg92aWRlby5yYXBzeXMuZXWCDndvdy5hb2lo aW1lLmV1gg93d3cuYWlybGlicmUuZXWCDnd3dy5hb2loaW1lLmV1ggx3d3cuZ2Vy dHouZnKCDXd3dy5yYXBzeXMuZXWCDXd3dy5yYXBzeXMuZnIwEwYDVR0gBAwwCjAI BgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDuzdBk1dsazsVct520 zROiModGfLzs3sNRSFlGcR+1mwAAAZGhBZXdAAAEAwBHMEUCIA5S0jyDK1+2zG5v F0X94D3roIoS3Fgsm7oelNnbkLrwAiEAp1pH02O5ELhAppFJAinm1B5MD49SAdgG 1S//ZHAzLsAAdgAZmBBxCfDWUi4wgNKeP2S7g24ozPkPUo7u385KPxa0ygAAAZGh BZYTAAAEAwBHMEUCIQDvgloggEpEPY0NpfuPDKUxK+gukXzTX0reMvUyUth2DgIg Z+QhJWgRgEMy8iTzSo3/6OphwwXYbXjkgp6sfqJqzA0wDQYJKoZIhvcNAQELBQAD ggEBAHkmiw6+TVeraKsypmTy2ktDBMiORv9JVNrV57uopw+zHsNjQkx0vt1tkr40 dvF/+0dcrhaCoVswluWhUJgUAL0iC4qmgOu50D/cZWR/VBhR50kI5bfVvNXERSeC sv8UBcmYEprk7NUBNUbGGoEbVvkq1dTcYByEAvR8n0LjueAkD67UExAS4e9L6akT +gTwYYXzizDi6QGA0G8qZH0XasPVZRiwbmpznBO9iK5zJivzFX7/8sEB/Dg9ZjBQ n21g0QFYg73WqeSnXe3mhCVIiAFpI3Neqvt8igHsktPZsEMONrXhKiAZcEan8Xq2 Z8JMjszd2E5x5rIfK12tRie6nmg= -----END CERTIFICATE----- subject=CN = rapsys.eu issuer=C = US, O = Let's Encrypt, CN = R10 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4130 bytes and written 377 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: F484B67F2938E0202E0E17AB13CEF041C70EAA8A35DA70A9FCDAA37498CE5E73 Session-ID-ctx: Resumption PSK: 9762B9D123E6F2D969058EE3195F25612A7AD5026D07229B5F4F495500C31CC4 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 96 32 0e f5 f3 95 29 34-f1 b5 ae a3 9b 2e 50 cc .2....)4......P. 0010 - a0 64 f3 55 52 61 d8 b5-74 ab 9c 10 22 69 9e 09 .d.URa..t..."i.. Start Time: 1728597717 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: B8B71F8A3D007F1363D4D6B4CC6DD74B205F71AF16B774165566A2CB756B2B81 Session-ID-ctx: Resumption PSK: 13625949C6EDE319CDE7ADEA71C6DE676EE0D27577AE43355C67FAE5795DE8C2 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 3b ab 91 0f 66 df 50 f1-68 e7 ce a9 5f 36 3b 18 ;...f.P.h..._6;. 0010 - fd cc c3 d0 61 fc ea 38-15 48 2a 2b 3f c0 81 bc ....a..8.H*+?... Start Time: 1728597717 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK HTTP/1.1 408 Request Time-out Content-length: 110 Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>408 Request Time-out</h1> Your browser didn't send a complete request in time. </body></html> closed Looks good
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0330.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED