SUSE-SU-2015:0205-1: moderate: Security update for openssl
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue Feb 3 10:08:56 MST 2015
SUSE Security Update: Security update for openssl
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0205-1
Rating: moderate
References: #855676 #895129 #901902 #906878 #908362 #908372
#912014 #912015 #912018 #912292 #912293 #912294
#912296
Cross-References: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
CVE-2015-0206
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that solves 7 vulnerabilities and has 6 fixes is
now available.
Description:
OpenSSL was updated to fix security issues and also provide FIPS
compliance.
Security issues fixed: CVE-2014-3570: Bignum squaring (BN_sqr) may have
produced incorrect results on some platforms, including x86_64.
CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen state
where you get two separate reads performed - one for the header and one
for the body of the handshake record.
CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues.
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.
CVE-2015-0205: Fix to prevent use of DH client certificates without
sending certificate verify message.
CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record.
Bugfixes:
- Do not advertise curves we don't support (bsc#906878)
FIPS changes:
- Make RSA2 key generation FIPS 186-4 compliant (bsc#901902)
- X9.31 rand method is not allowed in FIPS mode.
- Do not allow dynamic ENGINEs loading in FIPS mode.
- Added a locking hack which prevents hangs in FIPS mode (bsc#895129)
- In non-FIPS RSA key generation, mirror the maximum and minimum limiters
from FIPS rsa generation to meet Common Criteria and BSI TR requirements
on minimum and maximum distances between p and q. (bsc#908362)
- Do constant reseeding from /dev/urandom; for every random byte pulled,
seed with
one byte from /dev/urandom, also change RAND_poll to pull the full state
size of the SSLEAY DRBG to fulfil Common Criteria requirements.
(bsc#908372)
FIPS mode can be enabled by either using the environment variable
OPENSSL_FORCE_FIPS_MODE=1
or supplying the "fips=1" parameter on the kernel boot commandline.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-52
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-52
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-52
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
libopenssl-devel-1.0.1i-17.1
openssl-debuginfo-1.0.1i-17.1
openssl-debugsource-1.0.1i-17.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
libopenssl1_0_0-1.0.1i-17.1
libopenssl1_0_0-debuginfo-1.0.1i-17.1
libopenssl1_0_0-hmac-1.0.1i-17.1
openssl-1.0.1i-17.1
openssl-debuginfo-1.0.1i-17.1
openssl-debugsource-1.0.1i-17.1
- SUSE Linux Enterprise Server 12 (s390x x86_64):
libopenssl1_0_0-32bit-1.0.1i-17.1
libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
libopenssl1_0_0-hmac-32bit-1.0.1i-17.1
- SUSE Linux Enterprise Server 12 (noarch):
openssl-doc-1.0.1i-17.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
libopenssl1_0_0-1.0.1i-17.1
libopenssl1_0_0-32bit-1.0.1i-17.1
libopenssl1_0_0-debuginfo-1.0.1i-17.1
libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
openssl-1.0.1i-17.1
openssl-debuginfo-1.0.1i-17.1
openssl-debugsource-1.0.1i-17.1
References:
http://support.novell.com/security/cve/CVE-2014-3570.html
http://support.novell.com/security/cve/CVE-2014-3571.html
http://support.novell.com/security/cve/CVE-2014-3572.html
http://support.novell.com/security/cve/CVE-2014-8275.html
http://support.novell.com/security/cve/CVE-2015-0204.html
http://support.novell.com/security/cve/CVE-2015-0205.html
http://support.novell.com/security/cve/CVE-2015-0206.html
https://bugzilla.suse.com/show_bug.cgi?id=855676
https://bugzilla.suse.com/show_bug.cgi?id=895129
https://bugzilla.suse.com/show_bug.cgi?id=901902
https://bugzilla.suse.com/show_bug.cgi?id=906878
https://bugzilla.suse.com/show_bug.cgi?id=908362
https://bugzilla.suse.com/show_bug.cgi?id=908372
https://bugzilla.suse.com/show_bug.cgi?id=912014
https://bugzilla.suse.com/show_bug.cgi?id=912015
https://bugzilla.suse.com/show_bug.cgi?id=912018
https://bugzilla.suse.com/show_bug.cgi?id=912292
https://bugzilla.suse.com/show_bug.cgi?id=912293
https://bugzilla.suse.com/show_bug.cgi?id=912294
https://bugzilla.suse.com/show_bug.cgi?id=912296
More information about the sle-updates
mailing list