SUSE-SU-2015:0305-1: moderate: Security update for compat-openssl098
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Feb 17 08:05:26 MST 2015
SUSE Security Update: Security update for compat-openssl098
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0305-1
Rating: moderate
References: #892403 #912014 #912015 #912018 #912293 #912294
#912296
Cross-References: CVE-2014-0224 CVE-2014-3570 CVE-2014-3571
CVE-2014-3572 CVE-2014-8275 CVE-2015-0204
CVE-2015-0205
Affected Products:
SUSE Linux Enterprise Module for Legacy Software 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that fixes 7 vulnerabilities is now available.
Description:
The openssl 0.9.8j compatibility package was updated to fix several
security vulnerabilities:
CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results
on some platforms, including x86_64.
CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state
where you get two separate reads performed - one for the header and
one for the body of the handshake record.
CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites
CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it
doesn't support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway. (This patch
only fixes the wrong condition)
This update also fixes regression caused by CVE-2014-0224.patch
(bnc#892403)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Legacy Software 12:
zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-78=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-78=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64):
compat-openssl098-debugsource-0.9.8j-70.2
libopenssl0_9_8-0.9.8j-70.2
libopenssl0_9_8-32bit-0.9.8j-70.2
libopenssl0_9_8-debuginfo-0.9.8j-70.2
libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2
- SUSE Linux Enterprise Desktop 12 (x86_64):
compat-openssl098-debugsource-0.9.8j-70.2
libopenssl0_9_8-0.9.8j-70.2
libopenssl0_9_8-32bit-0.9.8j-70.2
libopenssl0_9_8-debuginfo-0.9.8j-70.2
libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2
References:
http://support.novell.com/security/cve/CVE-2014-0224.html
http://support.novell.com/security/cve/CVE-2014-3570.html
http://support.novell.com/security/cve/CVE-2014-3571.html
http://support.novell.com/security/cve/CVE-2014-3572.html
http://support.novell.com/security/cve/CVE-2014-8275.html
http://support.novell.com/security/cve/CVE-2015-0204.html
http://support.novell.com/security/cve/CVE-2015-0205.html
https://bugzilla.suse.com/892403
https://bugzilla.suse.com/912014
https://bugzilla.suse.com/912015
https://bugzilla.suse.com/912018
https://bugzilla.suse.com/912293
https://bugzilla.suse.com/912294
https://bugzilla.suse.com/912296
More information about the sle-security-updates
mailing list