Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2017:0487-1

Опубликовано: 16 фев. 2017
Источник: suse-cvrf

Описание

Security update for openssl

This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)

Security issues fixed:

  • CVE-2016-7056: A local ECSDA P-256 timing attack that might have allowed key recovery was fixed (bsc#1019334)
  • CVE-2016-8610: A remote denial of service in SSL alert handling was fixed (bsc#1005878)
  • CVE-2016-2108: Added a missing commit for CVE-2016-2108, fixing the negative zero handling in the ASN.1 decoder (bsc#1004499)
  • CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085, CVE-2017-3731)
  • Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912)

Bugs fixed:

  • fix crash in openssl speed (bsc#1000677)
  • fix ca-bundle path (bsc#1022271)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

Список пакетов

openSUSE Leap 42.1
libopenssl-devel-1.0.1i-21.1
libopenssl-devel-32bit-1.0.1i-21.1
libopenssl1_0_0-1.0.1i-21.1
libopenssl1_0_0-32bit-1.0.1i-21.1
libopenssl1_0_0-hmac-1.0.1i-21.1
libopenssl1_0_0-hmac-32bit-1.0.1i-21.1
openssl-1.0.1i-21.1
openssl-doc-1.0.1i-21.1

Ссылки

Описание

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Затронутые продукты
openSUSE Leap 42.1:libopenssl-devel-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl-devel-32bit-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-32bit-1.0.1i-21.1
Ссылки

Описание

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

Затронутые продукты
openSUSE Leap 42.1:libopenssl-devel-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl-devel-32bit-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-32bit-1.0.1i-21.1
Ссылки

Описание

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

Затронутые продукты
openSUSE Leap 42.1:libopenssl-devel-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl-devel-32bit-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-32bit-1.0.1i-21.1
Ссылки

Описание

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.

Затронутые продукты
openSUSE Leap 42.1:libopenssl-devel-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl-devel-32bit-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-1.0.1i-21.1
openSUSE Leap 42.1:libopenssl1_0_0-32bit-1.0.1i-21.1
Ссылки