Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2017:0495-1

Опубликовано: 17 фев. 2017
Источник: suse-cvrf

Описание

Security update for openssl1

This update for openssl1 fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)

Security issues fixed:

  • CVE-2016-7056: A local ECSDA P-256 timing attack that might have allowed key recovery was fixed (bsc#1019334)
  • CVE-2016-8610: A remote denial of service in SSL alert handling was fixed (bsc#1005878)
  • CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085)
  • Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912)
  • CVE-2016-2108: Added a missing commit for CVE-2016-2108, fixing the negative zero handling in the ASN.1 decoder (bsc#1004499)

Bugs fixed:

  • fix crash in openssl speed (bsc#1000677)
  • call c_rehash in %post (bsc#1001707)
  • ship static libraries in the devel package (bsc#1022644)

Список пакетов

SUSE Linux Enterprise Server 11-SECURITY
libopenssl1-devel-1.0.1g-0.57.1
libopenssl1_0_0-1.0.1g-0.57.1
libopenssl1_0_0-32bit-1.0.1g-0.57.1
libopenssl1_0_0-x86-1.0.1g-0.57.1
openssl1-1.0.1g-0.57.1
openssl1-doc-1.0.1g-0.57.1

Ссылки

Описание

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Затронутые продукты
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1-devel-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-32bit-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-x86-1.0.1g-0.57.1
Ссылки

Описание

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

Затронутые продукты
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1-devel-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-32bit-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-x86-1.0.1g-0.57.1
Ссылки

Описание

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

Затронутые продукты
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1-devel-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-32bit-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-x86-1.0.1g-0.57.1
Ссылки

Описание

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.

Затронутые продукты
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1-devel-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-32bit-1.0.1g-0.57.1
SUSE Linux Enterprise Server 11-SECURITY:libopenssl1_0_0-x86-1.0.1g-0.57.1
Ссылки
Уязвимость SUSE-SU-2017:0495-1