Security update for openssl-1_0_0

Announcement ID:	SUSE-SU-2018:4001-1
Rating:	moderate
References:	bsc#1100078 bsc#1112209 bsc#1113534 bsc#1113652 bsc#1113742
Cross-References:	CVE-2018-0734 CVE-2018-5407
CVSS scores:	CVE-2018-0734 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2018-0734 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-0734 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-5407 ( SUSE ): 4.8 CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-5407 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-5407 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Legacy Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves two vulnerabilities and has three security fixes can now be installed.

Description:

This update for openssl-1_0_0 fixes the following issues:

Security issues fixed:

• CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
• CVE-2018-5407: Added elliptic curve scalar multiplication timing attack defenses that fixes "PortSmash" (bsc#1113534).

Non-security issues fixed:

• Added missing timing side channel patch for DSA signature generation (bsc#1113742).
• Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).
• Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Legacy Module 15
  zypper in -t patch SUSE-SLE-Module-Legacy-15-2018-2862=1

Package List:

• Legacy Module 15 (aarch64 ppc64le s390x x86_64)
  • libopenssl-1_0_0-devel-1.0.2p-3.11.1
  • openssl-1_0_0-1.0.2p-3.11.1
  • openssl-1_0_0-debuginfo-1.0.2p-3.11.1
  • openssl-1_0_0-debugsource-1.0.2p-3.11.1
  • libopenssl1_0_0-1.0.2p-3.11.1
  • libopenssl1_0_0-debuginfo-1.0.2p-3.11.1

References:

• https://www.suse.com/security/cve/CVE-2018-0734.html
• https://www.suse.com/security/cve/CVE-2018-5407.html
• https://bugzilla.suse.com/show_bug.cgi?id=1100078
• https://bugzilla.suse.com/show_bug.cgi?id=1112209
• https://bugzilla.suse.com/show_bug.cgi?id=1113534
• https://bugzilla.suse.com/show_bug.cgi?id=1113652
• https://bugzilla.suse.com/show_bug.cgi?id=1113742