I just came across this on freshmeat/freecode: "A fix was introduced for a security issue where an extension of the Vaudenay padding oracle attack on CBC mode encryption enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. This issue was originally reported as CVE-2011-4108. Various other bugfixes and improvements were made" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 There's no link to a patch yet, so you'd have to either find the change in 1.0.0f that fixed it, or just upgrade to 1.0.0f.
In fact it's more CVE: http://www.openssl.org/news/secadv_20120104.txt As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
URL: (none) => http://www.openssl.org/news/secadv_20120104.txtCC: (none) => arnaud.patard, fundawang, mageia, pterjan
Adding dmorgan in CC who built the last update.
CC: (none) => dmorganec
Ping ?
For reference, Mandriva has just issued the advisory for this (January 16): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:006 They have patched their packages and they list CVE-2011-410[89], CVE-2011-4576, and CVE-2011-4619 in the advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
This advisory for the MDV 2011 version (which is closer to Mageia 1's) also mentions CVE-2012-0027: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027
Today (January 19) OpenSSL 1.0.0g comes out with this note: "This release fixed a DTLS DoS issue which was recently introduced by the fix for CVE-2011-4109."
I'll be happy just submit cauldron package into testing, but i think maybe dmorgan want to give his opinion, as he updated several CVE issues before.
i will take a look what is better monday ( maximum )
Mandriva posted this advisory today (January 29): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:011 Saying the previous fix for CVE-2011-4108 mentioned above was incorrect and caused a new issue CVE-2012-0050 which they have now corrected.
Blocks: (none) => 3819
What's the plan for this package? Do we try to dig out every security patch in OpenSSL since 1.0.0d (what other kind of patch is there in OpenSSL?)? Are all of the patches that have been added to Mandriva's package sufficeint? Do we upgrade it to the latest version?
Patched package uploaded. Advisory: ======================== Updated openssl packages fix security vulnerabilities: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack (CVE-2011-4108). Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check (CVE-2011-4109). The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer (CVE-2011-4576). The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors (CVE-2011-4619). The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client (CVE-2012-0027). OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108 (CVE-2012-0050). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://www.openssl.org/news/secadv_20120104.txt http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050 http://www.openssl.org/news/secadv_20120118.txt http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:011 ======================== Updated packages in core/updates_testing: ======================== libopenssl1.0.0-1.0.0d-2.2.mga1 libopenssl-devel-1.0.0d-2.2.mga1 libopenssl-engines1.0.0-1.0.0d-2.2.mga1 libopenssl-static-devel-1.0.0d-2.2.mga1 openssl-1.0.0d-2.2.mga1 from openssl-1.0.0d-2.2.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete on i586 for the srpm openssl-1.0.0d-2.2.mga1.src.rpm I haven't found any pocs for the cves, so just testing that it works using commands from http://www.madboa.com/geek/openssl/#intro-version and testing that web browsers work with https etc.
CC: (none) => davidwhodgins
Tested x86_64 and wiki page created. https://wiki.mageia.org/en/Testing_procedure_for_openssl Update validated Could sysadmin please push from core/updates_testing to core/updates Please see comment 11 for details. Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED