Описание
Security update for openldap2
This update fixes the following security issues:
- CVE-2015-6908: The ber_get_next function allowed remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd. (bsc#945582)
- CVE-2015-4000: Fix weak Diffie-Hellman size vulnerability. (bsc#937766)
It also fixes the following non-security bugs:
- bsc#955210: Unresponsive LDAP host lookups in IPv6 environment
This update adds the following functionality:
- fate#319300: SHA2 password hashing module that can be loaded on-demand.
Список пакетов
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Module for Legacy 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Software Development Kit 12 SP1
Ссылки
- Link for SUSE-SU-2016:0224-1
- E-Mail link for SUSE-SU-2016:0224-1
- SUSE Security Ratings
- SUSE Bug 937766
- SUSE Bug 945582
- SUSE Bug 955210
- SUSE CVE CVE-2015-4000 page
- SUSE CVE CVE-2015-6908 page
Описание
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Затронутые продукты
Ссылки
- CVE-2015-4000
- SUSE Bug 1074631
- SUSE Bug 1211968
- SUSE Bug 931600
- SUSE Bug 931698
- SUSE Bug 931723
- SUSE Bug 931845
- SUSE Bug 932026
- SUSE Bug 932483
- SUSE Bug 934789
- SUSE Bug 935033
- SUSE Bug 935540
- SUSE Bug 935979
- SUSE Bug 937202
- SUSE Bug 937766
- SUSE Bug 938248
- SUSE Bug 938432
- SUSE Bug 938895
- SUSE Bug 938905
- SUSE Bug 938906
Описание
The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd.
Затронутые продукты
Ссылки
- CVE-2015-6908
- SUSE Bug 945582