Security update for openssl-1_0_0

Announcement ID:	SUSE-SU-2019:0600-1
Rating:	moderate
References:	bsc#1117951 bsc#1127080
Cross-References:	CVE-2019-1559
CVSS scores:	CVE-2019-1559 ( SUSE ): 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVE-2019-1559 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-1559 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Legacy Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for openssl-1_0_0 fixes the following issues:

Security issues fixed:

• The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
• CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Legacy Module 15
  zypper in -t patch SUSE-SLE-Module-Legacy-15-2019-600=1

Package List:

• Legacy Module 15 (aarch64 ppc64le s390x x86_64)
  • libopenssl1_0_0-debuginfo-1.0.2p-3.14.2
  • libopenssl-1_0_0-devel-1.0.2p-3.14.2
  • openssl-1_0_0-debugsource-1.0.2p-3.14.2
  • openssl-1_0_0-1.0.2p-3.14.2
  • openssl-1_0_0-debuginfo-1.0.2p-3.14.2
  • libopenssl1_0_0-1.0.2p-3.14.2

References:

• https://www.suse.com/security/cve/CVE-2019-1559.html
• https://bugzilla.suse.com/show_bug.cgi?id=1117951
• https://bugzilla.suse.com/show_bug.cgi?id=1127080