Описание
Security update for openssl
This update for openssl fixes the following issues:
- CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617)
- CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (bsc#977616)
- CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614)
- CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615)
- CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942)
- bsc#976943: Buffer overrun in ASN1_parse
- bsc#977621: Preserve negotiated digests for SNI (bsc#977621)
- bsc#958501: Fix openssl enc -non-fips-allow option in FIPS mode (bsc#958501)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP1
Ссылки
- Link for SUSE-SU-2016:1233-1
- E-Mail link for SUSE-SU-2016:1233-1
- SUSE Security Ratings
- SUSE Bug 958501
- SUSE Bug 976942
- SUSE Bug 976943
- SUSE Bug 977614
- SUSE Bug 977615
- SUSE Bug 977616
- SUSE Bug 977617
- SUSE Bug 977621
- SUSE CVE CVE-2016-2105 page
- SUSE CVE CVE-2016-2106 page
- SUSE CVE CVE-2016-2107 page
- SUSE CVE CVE-2016-2108 page
- SUSE CVE CVE-2016-2109 page
Описание
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Затронутые продукты
Ссылки
- CVE-2016-2105
- SUSE Bug 977584
- SUSE Bug 977614
- SUSE Bug 978492
- SUSE Bug 989902
- SUSE Bug 990369
- SUSE Bug 990370
Описание
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Затронутые продукты
Ссылки
- CVE-2016-2106
- SUSE Bug 977584
- SUSE Bug 977615
- SUSE Bug 978492
- SUSE Bug 979279
- SUSE Bug 990369
Описание
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Затронутые продукты
Ссылки
- CVE-2016-2107
- SUSE Bug 976942
- SUSE Bug 977584
- SUSE Bug 977616
- SUSE Bug 978492
- SUSE Bug 990369
- SUSE Bug 990370
Описание
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Затронутые продукты
Ссылки
- CVE-2016-2108
- SUSE Bug 1001502
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1148697
- SUSE Bug 977584
- SUSE Bug 977617
- SUSE Bug 978492
- SUSE Bug 989345
- SUSE Bug 996067
Описание
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Затронутые продукты
Ссылки
- CVE-2016-2109
- SUSE Bug 1015243
- SUSE Bug 976942
- SUSE Bug 977584
- SUSE Bug 978492
- SUSE Bug 990369