Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2018:2534-1

Опубликовано: 28 авг. 2018
Источник: suse-cvrf

Описание

Security update for compat-openssl097g

This update for compat-openssl097g fixes the following issues:

These security issues were fixed:

  • CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158)
  • CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could have resulted in DoS (bsc#1087102)

This non-security issue was fixed:

  • Fixed crash in DES_fcrypt (bsc#1065363)

Список пакетов

SUSE Linux Enterprise Server for SAP Applications 11 SP4
compat-openssl097g-0.9.7g-146.22.51.5.1
compat-openssl097g-32bit-0.9.7g-146.22.51.5.1

Ссылки

Описание

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

Затронутые продукты
SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-0.9.7g-146.22.51.5.1
SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-32bit-0.9.7g-146.22.51.5.1
Ссылки

Описание

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).

Затронутые продукты
SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-0.9.7g-146.22.51.5.1
SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-32bit-0.9.7g-146.22.51.5.1
Ссылки