Описание
Security update for openssl-1_0_0
This update for openssl-1_0_0 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Added elliptic curve scalar multiplication timing attack defenses that fixes "PortSmash" (bsc#1113534).
Non-security issues fixed:
- Added missing timing side channel patch for DSA signature generation (bsc#1113742).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).
- Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209)
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.0
libopenssl-1_0_0-devel-1.0.2p-lp150.2.9.1
libopenssl-1_0_0-devel-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-1.0.2p-lp150.2.9.1
libopenssl1_0_0-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-hmac-1.0.2p-lp150.2.9.1
libopenssl1_0_0-hmac-32bit-1.0.2p-lp150.2.9.1
libopenssl1_0_0-steam-1.0.2p-lp150.2.9.1
libopenssl1_0_0-steam-32bit-1.0.2p-lp150.2.9.1
openssl-1_0_0-1.0.2p-lp150.2.9.1
openssl-1_0_0-cavs-1.0.2p-lp150.2.9.1
openssl-1_0_0-doc-1.0.2p-lp150.2.9.1
Ссылки
- E-Mail link for openSUSE-SU-2018:4050-1
- SUSE Security Ratings
Описание
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
Затронутые продукты
openSUSE Leap 15.0:libopenssl-1_0_0-devel-1.0.2p-lp150.2.9.1
openSUSE Leap 15.0:libopenssl-1_0_0-devel-32bit-1.0.2p-lp150.2.9.1
openSUSE Leap 15.0:libopenssl1_0_0-1.0.2p-lp150.2.9.1
openSUSE Leap 15.0:libopenssl1_0_0-32bit-1.0.2p-lp150.2.9.1
Ссылки
- CVE-2018-0734
- SUSE Bug 1113534
- SUSE Bug 1113652
- SUSE Bug 1113742
- SUSE Bug 1122198
- SUSE Bug 1122212
Описание
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
Затронутые продукты
openSUSE Leap 15.0:libopenssl-1_0_0-devel-1.0.2p-lp150.2.9.1
openSUSE Leap 15.0:libopenssl-1_0_0-devel-32bit-1.0.2p-lp150.2.9.1
openSUSE Leap 15.0:libopenssl1_0_0-1.0.2p-lp150.2.9.1
openSUSE Leap 15.0:libopenssl1_0_0-32bit-1.0.2p-lp150.2.9.1
Ссылки
- CVE-2018-5407
- SUSE Bug 1113534
- SUSE Bug 1116195