March 2022 - Epel-packagers-sig - Fedora mailing-lists

[Bug 2063508] New: authentication recquired The password you use does not match
by bugzilla＠redhat.com 17 Mar '22

17 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2063508 Bug ID: 2063508 Summary: authentication recquired The password you use does not match Product: Fedora Version: 36 OS: Linux Status: NEW Component: keyrings-filesystem Severity: high Assignee: manisandro(a)gmail.com Reporter: jjb(a)xs4all.nl QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, sergio(a)serjux.com Target Milestone: --- Classification: Fedora Description of problem: Keyring is locked. (in Passwords and Keys, Seahorse) try to solve error message "authentication required, the password you use to log in to your computer no longer match that of your login keyring" The known password is not accepted. Version-Release number of selected component (if applicable): How reproducible: try to Get Geary (email program) at work. At login to the computer the password is working all right. Steps to Reproduce: 1. 2. 3. Actual results: cannot authenticate password. Expected results: no question of authentication Additional info: do not know how to solve this problem. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2063508

1 3

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 17 Mar '22

17 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 Yasuhiro Ozone <yozone(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone(a)redhat.com Flags| |needinfo?(security-response | |-team(a)redhat.com) -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 17 Mar '22

17 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 --- Doc Text *updated* by Nick Tait <ntait(a)redhat.com> --- A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

[Bug 2057214] New: python-flit-3.7.0 is available
by bugzilla＠redhat.com 17 Mar '22

17 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2057214 Bug ID: 2057214 Summary: python-flit-3.7.0 is available Product: Fedora Version: rawhide Status: NEW Component: python-flit Keywords: FutureFeature, Triaged Assignee: mhroncok(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, mhroncok(a)redhat.com, michel(a)michel-slm.name, python-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 3.7.0 Current version/release in rawhide: 3.5.1-2.fc36 URL: https://flit.readthedocs.io/en/latest/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/12061/ -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2057214

1 5

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 16 Mar '22

16 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 --- Comment #16 from Mauro Matteo Cascella <mcascell(a)redhat.com> --- Created edk2 tracking bugs for this issue: Affects: fedora-all [bug 2064917] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 2064914] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 2064911] Created openssl1.1 tracking bugs for this issue: Affects: fedora-all [bug 2064918] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2064913] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2064915] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 16 Mar '22

16 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 Mauro Matteo Cascella <mcascell(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2064915, 2064917, 2064914, | |2064913, 2064911, 2064918 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2064911 [Bug 2064911] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2064913 [Bug 2064913] CVE-2022-0778 openssl11: openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=2064914 [Bug 2064914] CVE-2022-0778 mingw-openssl: openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2064915 [Bug 2064915] CVE-2022-0778 openssl3: openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2064917 [Bug 2064917] CVE-2022-0778 edk2: openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2064918 [Bug 2064918] CVE-2022-0778 openssl1.1: openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates [fedora-all] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

[Bug 2059741] Please branch and build dropbear in epel9
by bugzilla＠redhat.com 16 Mar '22

16 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2059741 Fedora Update System <updates(a)fedoraproject.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA --- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-EPEL-2022-ffa4233ef0 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-ffa4233ef0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. -- You are receiving this mail because: You are the assignee for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2059741

1 0

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 16 Mar '22

16 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 Mauro Matteo Cascella <mcascell(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Comment|0 |updated --- Comment #0 has been edited --- The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: TLS clients consuming server certificates TLS servers consuming client certificates Hosting providers taking certificates or private keys from customers Certificate authorities parsing certification requests from subscribers Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. On the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. OpenSSL 1.0.2 users should upgrade to 1.0.2zd OpenSSL 1.1.1 users should upgrade to 1.1.1n OpenSSL 3.0 users should upgrade to 3.0.2 This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL. OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20220315.txt Upstream patch: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 16 Mar '22

16 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 Mauro Matteo Cascella <mcascell(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Comment|0 |updated --- Comment #0 has been edited --- The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: TLS clients consuming server certificates TLS servers consuming client certificates Hosting providers taking certificates or private keys from customers Certificate authorities parsing certification requests from subscribers Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. On the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. OpenSSL 1.0.2 users should upgrade to 1.0.2zd OpenSSL 1.1.1 users should upgrade to 1.1.1n OpenSSL 3.0 users should upgrade to 3.0.2 This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL. Upstream patch: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

[Bug 2062202] CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
by bugzilla＠redhat.com 15 Mar '22

15 Mar '22

https://bugzilla.redhat.com/show_bug.cgi?id=2062202 --- Comment #14 from Sandipan Roy <saroy(a)redhat.com> --- https://www.openssl.org/news/secadv/20220315.txt https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2062202

1 0

2025

2024

2023

2022

2021

Epel-packagers-sig March 2022