SUSE-SU-2015:0172-1: moderate: Security update for OpenSSL

sle-security-updates at sle-security-updates at
Wed Jan 28 23:05:28 MST 2015

   SUSE Security Update: Security update for OpenSSL

Announcement ID:    SUSE-SU-2015:0172-1
Rating:             moderate
References:         #912014 #912015 #912018 #912293 #912294 #912296 
Cross-References:   CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
                    CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
Affected Products:
                    SUSE Studio Onsite 1.3
                    SUSE Manager 1.7 for SLE 11 SP2
                    SUSE Linux Enterprise Server 10 SP4 LTSS

   An update that fixes 6 vulnerabilities is now available.


   OpenSSL has been updated to fix various security issues.

   More information can be found in the OpenSSL advisory:
   <> .

   The following issues have been fixed:


         CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect
   results on some platforms, including x86_64. (bsc#912296)


         CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen
   state where you get two separate reads performed - one for the header and
   one for the body of the handshake record. (bsc#912294)


         CVE-2014-3572: Don't accept a handshake using an ephemeral ECDH
   ciphersuites with the server key exchange message omitted. (bsc#912015)


         CVE-2014-8275: Fixed various certificate fingerprint issues.


         CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.


         CVE-2015-0205: A fix was added to prevent use of DH client
   certificates without sending certificate verify message. Although the
   OpenSSL library from SLES 10 is not affected by this problem, a fix has
   been applied to the sources. (bsc#912293)


         CVE-2015-0206: A memory leak was fixed in dtls1_buffer_record.

   Security Issues:

       * CVE-2014-8275
       * CVE-2014-3571
       * CVE-2015-0204
       * CVE-2014-3572
       * CVE-2014-3570
       * CVE-2015-0205

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-libopenssl-devel-10149

   - SUSE Manager 1.7 for SLE 11 SP2:

      zypper in -t patch sleman17sp2-libopenssl-devel-10149

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Studio Onsite 1.3 (x86_64):


   - SUSE Manager 1.7 for SLE 11 SP2 (x86_64):


   - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):


   - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):



More information about the sle-security-updates mailing list