Описание
Security update for compat-openssl097g
This update for compat-openssl097g fixes the following issues:
OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)
Severity: Low
- Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
- OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
- Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359)
- OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
- Certificate message OOB reads (CVE-2016-6306) (bsc#999668)
Список пакетов
SUSE Linux Enterprise Server for SAP Applications 11 SP3
SUSE Linux Enterprise Server for SAP Applications 11 SP4
Ссылки
- Link for SUSE-SU-2016:2545-1
- E-Mail link for SUSE-SU-2016:2545-1
- SUSE Security Ratings
- SUSE Bug 982575
- SUSE Bug 993819
- SUSE Bug 995359
- SUSE Bug 995377
- SUSE Bug 999665
- SUSE Bug 999668
- SUSE CVE CVE-2016-2177 page
- SUSE CVE CVE-2016-2182 page
- SUSE CVE CVE-2016-2183 page
- SUSE CVE CVE-2016-6303 page
- SUSE CVE CVE-2016-6306 page
Описание
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Затронутые продукты
Ссылки
- CVE-2016-2177
- SUSE Bug 982575
- SUSE Bug 999075
- SUSE Bug 999665
Описание
The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Затронутые продукты
Ссылки
- CVE-2016-2182
- SUSE Bug 1004104
- SUSE Bug 993819
- SUSE Bug 994844
- SUSE Bug 995959
- SUSE Bug 999665
Описание
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Затронутые продукты
Ссылки
- CVE-2016-2183
- SUSE Bug 1001912
- SUSE Bug 1024218
- SUSE Bug 1027038
- SUSE Bug 1034689
- SUSE Bug 1056614
- SUSE Bug 1171693
- SUSE Bug 994844
- SUSE Bug 995359
Описание
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Затронутые продукты
Ссылки
- CVE-2016-6303
- SUSE Bug 1004104
- SUSE Bug 1115893
- SUSE Bug 994844
- SUSE Bug 995377
- SUSE Bug 999665
Описание
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
Затронутые продукты
Ссылки
- CVE-2016-6306
- SUSE Bug 1004104
- SUSE Bug 999665
- SUSE Bug 999668