SUSE-SU-2013:1386-1: moderate: Security update for OpenSSL

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Aug 28 06:04:10 MDT 2013 

   SUSE Security Update: Security update for OpenSSL
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1386-1
Rating:             moderate
References:         #739719 #758060 #802648 #802746 
Affected Products:
                    SUSE CORE 9
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:


   OpenSSL on SUSE Linux Enterprise Server 9 LTSS has been
   updated to receive  a roll up of security fixes from the
   last year.

   The following issues have been fixed:

   *

   CVE-2013-0169: The TLS protocol and the DTLS
   protocol, as used in OpenSSL and other products, did not
   properly consider timing side-channel attacks on a MAC
   check requirement during the processing of malformed CBC
   padding, which allowed remote attackers to conduct
   distinguishing attacks and plaintext-recovery attacks via
   statistical analysis of timing data for crafted packets,
   aka the "Lucky Thirteen" issue.

   *

   CVE-2013-0166: OpenSSL did not properly perform
   signature verification for OCSP responses, which allowed
   remote OCSP servers to cause a denial of service (NULL
   pointer dereference and application crash) via an invalid
   key.

   *

   CVE-2012-2110 CVE-2012-2131: The asn1_d2i_read_bio
   function in crypto/asn1/a_d2i_fp.c in OpenSSL did not
   properly interpret integer data, which allowed remote
   attackers to conduct buffer overflow attacks, and cause a
   denial of service (memory corruption) or possibly have
   unspecified other impact, via crafted DER data, as
   demonstrated by an X.509 certificate or an RSA public key.

   *

   CVE-2011-4576: The SSL 3.0 implementation in OpenSSL
   did not properly initialize data structures for block
   cipher padding, which might have allowed remote attackers
   to obtain sensitive information by decrypting the padding
   data sent by an SSL peer.

   *

   CVE-2011-4619: The Server Gated Cryptography (SGC)
   implementation in OpenSSL did not properly handle handshake
   restarts, which allowed remote attackers to cause a denial
   of service (CPU consumption) via unspecified vectors.



Package List:

   - SUSE CORE 9 (i586 s390 s390x x86_64):

      openssl-0.9.7d-15.48
      openssl-devel-0.9.7d-15.48
      openssl-doc-0.9.7d-15.48

   - SUSE CORE 9 (x86_64):

      openssl-32bit-9-201308121627
      openssl-devel-32bit-9-201308121627

   - SUSE CORE 9 (s390x):

      openssl-32bit-9-201308121642
      openssl-devel-32bit-9-201308121642


References:

   https://bugzilla.novell.com/739719
   https://bugzilla.novell.com/758060
   https://bugzilla.novell.com/802648
   https://bugzilla.novell.com/802746
   http://download.novell.com/patch/finder/?keywords=bea1b3ef15108e5f9d7fc35575cbb857

More information about the sle-security-updates mailing list