Описание
Security update for openssl
This update for openssl fixes the following issues:
Security issues fixed:
- CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617)
- CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614)
- CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615)
- CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942)
- CVE-2016-0702: Side channel attack on modular exponentiation 'CacheBleed' (bsc#968050)
Bugs fixed:
- fate#320304: build 32bit devel package
- bsc#976943: Fix buffer overrun in ASN1_parse
- bsc#973223: allow weak DH groups, vulnerable to the logjam attack, when environment variable OPENSSL_ALLOW_LOGJAM_ATTACK is set
- bsc#889013: Rename README.SuSE to the new spelling
Список пакетов
SUSE Linux Enterprise Server 11 SP2-LTSS
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
SUSE Linux Enterprise Software Development Kit 11 SP4
SUSE Manager 2.1
SUSE Manager Proxy 2.1
SUSE OpenStack Cloud 5
SUSE Studio Onsite 1.3
Ссылки
- Link for SUSE-SU-2016:1290-1
- E-Mail link for SUSE-SU-2016:1290-1
- SUSE Security Ratings
- SUSE Bug 889013
- SUSE Bug 968050
- SUSE Bug 976942
- SUSE Bug 976943
- SUSE Bug 977614
- SUSE Bug 977615
- SUSE Bug 977617
- SUSE CVE CVE-2016-0702 page
- SUSE CVE CVE-2016-2105 page
- SUSE CVE CVE-2016-2106 page
- SUSE CVE CVE-2016-2108 page
- SUSE CVE CVE-2016-2109 page
Описание
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Затронутые продукты
Ссылки
- CVE-2016-0702
- SUSE Bug 1007806
- SUSE Bug 968044
- SUSE Bug 968050
- SUSE Bug 971238
- SUSE Bug 990370
Описание
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Затронутые продукты
Ссылки
- CVE-2016-2105
- SUSE Bug 977584
- SUSE Bug 977614
- SUSE Bug 978492
- SUSE Bug 989902
- SUSE Bug 990369
- SUSE Bug 990370
Описание
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Затронутые продукты
Ссылки
- CVE-2016-2106
- SUSE Bug 977584
- SUSE Bug 977615
- SUSE Bug 978492
- SUSE Bug 979279
- SUSE Bug 990369
Описание
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Затронутые продукты
Ссылки
- CVE-2016-2108
- SUSE Bug 1001502
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1148697
- SUSE Bug 977584
- SUSE Bug 977617
- SUSE Bug 978492
- SUSE Bug 989345
- SUSE Bug 996067
Описание
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Затронутые продукты
Ссылки
- CVE-2016-2109
- SUSE Bug 1015243
- SUSE Bug 976942
- SUSE Bug 977584
- SUSE Bug 978492
- SUSE Bug 990369