Security update for rage-encryption

Announcement ID:	SUSE-SU-2023:4060-1
Rating:	moderate
References:	bsc#1215657
Cross-References:	CVE-2023-42811
CVSS scores:	CVE-2023-42811 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N
Affected Products:	Basesystem Module 15-SP5 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability can now be installed.

Description:

This update for rage-encryption fixes the following issues:

-CVE-2023-42811: chosen ciphertext attack possible against aes-gcm (bsc#1215657)

• update vendor.tar.zst to contain aes-gcm >= 0.10.3

• Update to version 0.9.2+0:

• CI: Ensure apt repository is up-to-date before installing build deps

• CI: Build Linux releases using ubuntu-20.04 runner

• CI: Remove most uses of actions-rs actions

• Update to version 0.9.2+0:

• Fix changelog bugs and add missing entry

• Document PINENTRY_PROGRAM environment variable
• age: Add Decryptor::new_async_buffered
• age: impl AsyncBufRead for ArmoredReader
• Pre-initialize vectors when the capacity is known, or use arrays
• Use PINENTRY_PROGRAM as environment variable for pinentry
• Document why impl AsyncWrite for StreamWriter doesn't loop indefinitely
• cargo update
• cargo vet prune
• Migrate to cargo-vet 0.7
• build(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.1
• Correct spelling in documentation
• build(deps): bump codecov/codecov-action from 3.1.1 to 3.1.4
• StreamWriter AsyncWrite: fix usage with futures::io::copy()
• rage: Use Decryptor::new_buffered
• age: Add Decryptor::new_buffered
• age: impl BufRead for ArmoredReader
• Update Homebrew formula to v0.9.1

• feat/pinentry: Use env var to define pinentry binary

• Update to version 0.9.1+0:

• ssh: Fix parsing of OpenSSH private key format

• ssh: Support aes256-gcm@openssh.com ciphers for encrypted keys
• ssh: Add aes256-gcm@openssh.com cipher to test cases
• ssh: Extract common key material derivation logic for encrypted keys
• ssh: Use associated constants for key and IV sizes
• ssh: Add test cases for encrypted keys
• Add shell completions for fish and zsh.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch SUSE-2023-4060=1 openSUSE-SLE-15.5-2023-4060=1
• Basesystem Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4060=1

Package List:

• openSUSE Leap 15.5 (aarch64 x86_64)
  • rage-encryption-debuginfo-0.9.2+0-150500.3.3.1
  • rage-encryption-0.9.2+0-150500.3.3.1
• openSUSE Leap 15.5 (noarch)
  • rage-encryption-bash-completion-0.9.2+0-150500.3.3.1
  • rage-encryption-fish-completion-0.9.2+0-150500.3.3.1
  • rage-encryption-zsh-completion-0.9.2+0-150500.3.3.1
• Basesystem Module 15-SP5 (aarch64 x86_64)
  • rage-encryption-debuginfo-0.9.2+0-150500.3.3.1
  • rage-encryption-0.9.2+0-150500.3.3.1
• Basesystem Module 15-SP5 (noarch)
  • rage-encryption-bash-completion-0.9.2+0-150500.3.3.1

References:

• https://www.suse.com/security/cve/CVE-2023-42811.html
• https://bugzilla.suse.com/show_bug.cgi?id=1215657