SUSE-SU-2015:0305-1: moderate: Security update for compat-openssl098

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Feb 17 08:05:26 MST 2015


   SUSE Security Update: Security update for compat-openssl098
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0305-1
Rating:             moderate
References:         #892403 #912014 #912015 #912018 #912293 #912294 
                    #912296 
Cross-References:   CVE-2014-0224 CVE-2014-3570 CVE-2014-3571
                    CVE-2014-3572 CVE-2014-8275 CVE-2015-0204
                    CVE-2015-0205
Affected Products:
                    SUSE Linux Enterprise Module for Legacy Software 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that fixes 7 vulnerabilities is now available.

Description:


   The openssl 0.9.8j compatibility package was updated to fix several
   security vulnerabilities:

   CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results
   on some platforms, including x86_64.

   CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state
   where you get two separate reads performed - one for the header and
   one for the body of the handshake record.

   CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH
   ciphersuites with the server key exchange message omitted.

   CVE-2014-8275: Fixed various certificate fingerprint issues

   CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites

   CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it
   doesn't support DH certificates and this typo prohibits skipping of
   certificate verify message for sign only certificates anyway. (This patch
   only fixes the wrong condition)

   This update also fixes regression caused by CVE-2014-0224.patch
   (bnc#892403)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Legacy Software 12:

      zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-78=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-78=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64):

      compat-openssl098-debugsource-0.9.8j-70.2
      libopenssl0_9_8-0.9.8j-70.2
      libopenssl0_9_8-32bit-0.9.8j-70.2
      libopenssl0_9_8-debuginfo-0.9.8j-70.2
      libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      compat-openssl098-debugsource-0.9.8j-70.2
      libopenssl0_9_8-0.9.8j-70.2
      libopenssl0_9_8-32bit-0.9.8j-70.2
      libopenssl0_9_8-debuginfo-0.9.8j-70.2
      libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2


References:

   http://support.novell.com/security/cve/CVE-2014-0224.html
   http://support.novell.com/security/cve/CVE-2014-3570.html
   http://support.novell.com/security/cve/CVE-2014-3571.html
   http://support.novell.com/security/cve/CVE-2014-3572.html
   http://support.novell.com/security/cve/CVE-2014-8275.html
   http://support.novell.com/security/cve/CVE-2015-0204.html
   http://support.novell.com/security/cve/CVE-2015-0205.html
   https://bugzilla.suse.com/892403
   https://bugzilla.suse.com/912014
   https://bugzilla.suse.com/912015
   https://bugzilla.suse.com/912018
   https://bugzilla.suse.com/912293
   https://bugzilla.suse.com/912294
   https://bugzilla.suse.com/912296



More information about the sle-security-updates mailing list