Описание
Security update for compat-openssl098
This update for compat-openssl098 fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)
Security issues fixed:
- CVE-2016-7056: A local ECSDA P-256 timing attack that might have allowed key recovery was fixed (bsc#1019334)
- CVE-2016-8610: A remote denial of service in SSL alert handling was fixed (bsc#1005878)
- degrade 3DES to MEDIUM in SSL2 (bsc#1001912)
- CVE-2016-2108: Added a missing commit for CVE-2016-2108, fixing the negative zero handling in the ASN.1 decoder (bsc#1004499)
Bugs fixed:
- fix crash in openssl speed (bsc#1000677)
- don't attempt session resumption if no ticket is present and session ID length is zero (bsc#984663)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Module for Legacy 12
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
Ссылки
- Link for SUSE-SU-2017:0605-1
- E-Mail link for SUSE-SU-2017:0605-1
- SUSE Security Ratings
- SUSE Bug 1000677
- SUSE Bug 1001912
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1019334
- SUSE Bug 1021641
- SUSE Bug 984663
- SUSE CVE CVE-2016-2108 page
- SUSE CVE CVE-2016-7056 page
- SUSE CVE CVE-2016-8610 page
Описание
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Затронутые продукты
Ссылки
- CVE-2016-2108
- SUSE Bug 1001502
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1148697
- SUSE Bug 977584
- SUSE Bug 977617
- SUSE Bug 978492
- SUSE Bug 989345
- SUSE Bug 996067
Описание
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
Затронутые продукты
Ссылки
- CVE-2016-7056
- SUSE Bug 1005878
- SUSE Bug 1019334
- SUSE Bug 1148697
Описание
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Затронутые продукты
Ссылки
- CVE-2016-8610
- SUSE Bug 1005878
- SUSE Bug 1005879
- SUSE Bug 1110018
- SUSE Bug 1120592
- SUSE Bug 1126909
- SUSE Bug 1148697
- SUSE Bug 982575