SUSE-SU-2015:0181-1: moderate: Security update for OpenSSL1

sle-security-updates at sle-security-updates at
Fri Jan 30 22:05:54 MST 2015

   SUSE Security Update: Security update for OpenSSL1

Announcement ID:    SUSE-SU-2015:0181-1
Rating:             moderate
References:         #906878 #912014 #912015 #912018 #912292 #912293 
                    #912294 #912296 
Cross-References:   CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
                    CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
Affected Products:
                    SUSE Linux Enterprise Security Module 11 SP3

   An update that solves 7 vulnerabilities and has one errata
   is now available.


   OpenSSL 1.0 has been updated to fix various security issues.

   More information can be found in the OpenSSL advisory:
   <> .

   The following issues have been fixed:


         CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect
   results on some platforms, including x86_64. (bsc#912296)


         CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen
   state where you get two separate reads performed - one for the header and
   one for the body of the handshake record. (bsc#912294)


         CVE-2014-3572: Don't accept a handshake using an ephemeral ECDH
   ciphersuites with the server key exchange message omitted. (bsc#912015)


         CVE-2014-8275: Fixed various certificate fingerprint issues.


         CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.


         CVE-2015-0205: A fix was added to prevent use of DH client
   certificates without sending certificate verify message. (bsc#912293)


         CVE-2015-0206: A memory leak was fixed in dtls1_buffer_record.

   This update also contains a non-security bug fix:

       * The list of elliptic curves reported by TLS was adjusted to the ones
         available. (bsc#906878)

   Security Issues:

       * CVE-2014-8275
       * CVE-2014-3571
       * CVE-2015-0204
       * CVE-2014-3572
       * CVE-2014-3570
       * CVE-2015-0205
       * CVE-2015-0206

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Security Module 11 SP3:

      zypper in -t patch secsp3-libopenssl1-devel-10155

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Security Module 11 SP3 (i586 ia64 ppc64 s390x x86_64):


   - SUSE Linux Enterprise Security Module 11 SP3 (ppc64 s390x x86_64):


   - SUSE Linux Enterprise Security Module 11 SP3 (ia64):



More information about the sle-security-updates mailing list