Описание
Security update for openssl
This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)
Security issues fixed:
- CVE-2016-7056: A local ECSDA P-256 timing attack that might have allowed key recovery was fixed (bsc#1019334)
- CVE-2016-8610: A remote denial of service in SSL alert handling was fixed (bsc#1005878)
- CVE-2016-2108: Added a missing commit for CVE-2016-2108, fixing the negative zero handling in the ASN.1 decoder (bsc#1004499)
- CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085, CVE-2017-3731)
- Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912)
Bugs fixed:
- fix crash in openssl speed (bsc#1000677)
- fix ca-bundle path (bsc#1022271)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP1
Ссылки
- Link for SUSE-SU-2017:0461-1
- E-Mail link for SUSE-SU-2017:0461-1
- SUSE Security Ratings
- SUSE Bug 1000677
- SUSE Bug 1001912
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1019334
- SUSE Bug 1021641
- SUSE Bug 1022085
- SUSE Bug 1022271
- SUSE CVE CVE-2016-2108 page
- SUSE CVE CVE-2016-7056 page
- SUSE CVE CVE-2016-8610 page
- SUSE CVE CVE-2017-3731 page
Описание
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Затронутые продукты
Ссылки
- CVE-2016-2108
- SUSE Bug 1001502
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1148697
- SUSE Bug 977584
- SUSE Bug 977617
- SUSE Bug 978492
- SUSE Bug 989345
- SUSE Bug 996067
Описание
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
Затронутые продукты
Ссылки
- CVE-2016-7056
- SUSE Bug 1005878
- SUSE Bug 1019334
- SUSE Bug 1148697
Описание
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Затронутые продукты
Ссылки
- CVE-2016-8610
- SUSE Bug 1005878
- SUSE Bug 1005879
- SUSE Bug 1110018
- SUSE Bug 1120592
- SUSE Bug 1126909
- SUSE Bug 1148697
- SUSE Bug 982575
Описание
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
Затронутые продукты
Ссылки
- CVE-2017-3731
- SUSE Bug 1021641
- SUSE Bug 1022085
- SUSE Bug 1064118
- SUSE Bug 1064119