OpenSSL has issued an advisory on January 20: https://openssl-library.org/news/secadv/20250120.txt
CVE: (none) => CVE-2024-13176Whiteboard: (none) => MGA9TOOSource RPM: (none) => openssl-3.3.2-2.mga10.src.rpm, openssl-3.0.15-1.1.mga9.src.rpmStatus comment: (none) => Patches available from upstream
Suggested advisory: ======================== The updated packages fix a security vulnerability: Timing side-channel in ECDSA signature computation. (CVE-2024-13176) References: https://openssl-library.org/news/secadv/20250120.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)openssl3-3.0.15-1.2.mga9 lib(64)openssl-devel-3.0.15-1.2.mga9 lib(64)openssl-static-devel-3.0.15-1.2.mga9 openssl-3.0.15-1.2.mga9 openssl-perl-3.0.15-1.2.mga9 from SRPM: openssl-3.0.15-1.2.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patches available from upstream => (none)Version: Cauldron => 9Source RPM: openssl-3.3.2-2.mga10.src.rpm, openssl-3.0.15-1.1.mga9.src.rpm => openssl-3.0.15-1.1.mga9.src.rpm
Keywords: (none) => advisory
Problem during installation: libopenssl-static-devel conflicts with (installed) lib64nss-static-devel-2:3.107.0-1.mga9.x86_64 Proceeding without this package.
CC: (none) => herman.viaene
MGA9-64 Plasma Wayland on Compaq H000SB No further installation issues. Ref bug 33520 $ openssl s_client -connect mageia.org:443 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3 verify return:1 depth=0 CN = *.mageia.org verify return:1 --- Certificate chain 0 s:CN = *.mageia.org i:C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3 and a lot more ..... ]$ openssl version OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024) $ openssl version -a OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024) built on: Thu Jan 23 10:34:40 2025 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-3" MODULESDIR: "/usr/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x3ed8220b078bffff:0x8 $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD etc ..... $ openssl speed rsa Doing 512 bits private rsa's for 10s: 28522 512 bits private RSA's in 9.40s Doing 512 bits public rsa's for 10s: 426143 512 bits public RSA's in 9.84s Doing 1024 bits private rsa's for 10s: 9093 1024 bits private RSA's in 9.93s Doing 1024 bits public rsa's for 10s: 155666 1024 bits public RSA's in 9.77s Doing 2048 bits private rsa's for 10s: 1271 2048 bits private RSA's in 9.44s Doing 2048 bits public rsa's for 10s: 43606 2048 bits public RSA's in 9.19s Doing 3072 bits private rsa's for 10s: 421 3072 bits private RSA's in 9.61s and continuing ..... AFAICS this is good, but higher powers to judge on the problem with the static-devel package mentioned in Comment 2
It's not an issue, just uninstall the conflicting package.
CC: (none) => mageia
@David That would do in my instance, since that lib64nss-static-devel came from some other update testing and I don't need it. But is it beyond imagination that some user/developer might actually need that one??
It's extremely rare that anyone would need a static devel package, and even in the case that someone does, it shouldn't be left installed once they're done building with it.
OK, comment accepted. Anyway the installation tested OK after removing the conflicting package. So ,o reason to hold back.
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0025.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED