Recommended update for openssl-1_1

Announcement ID:	SUSE-RU-2020:3560-1
Rating:	moderate
References:	bsc#1158499 bsc#1160158 bsc#1161198 bsc#1161203 bsc#1163569 bsc#1165281 bsc#1165534 bsc#1166848 bsc#1175847 bsc#1177479 jsc#SLE-8789
Affected Products:	Basesystem Module 15-SP1 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that contains one feature and has 10 fixes can now be installed.

Description:

This update for openssl-1_1 fixes the following issues:

This update backports various bugfixes for FIPS:

• Restore private key check in EC_KEY_check_key [bsc#1177479]
• Add shared secret KAT to FIPS DH selftest [bsc#1175847]
• Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847]
• Fix locking issue uncovered by python testsuite (bsc#1166848)
• Fix the sequence of locking operations in FIPS mode [bsc#1165534]
• Fix deadlock in FIPS rand code (bsc#1165281)
• Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
• Fix FIPS DRBG without derivation function (bsc#1161198)
• Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203)

• Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499)

• Restore the EVP_PBE_scrypt() behavior from before the KDF patch by treating salt=NULL as salt="" (bsc#1160158)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3560=1

Package List:

• Basesystem Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • libopenssl1_1-1.1.0i-14.9.1
  • libopenssl1_1-hmac-1.1.0i-14.9.1
  • openssl-1_1-debuginfo-1.1.0i-14.9.1
  • openssl-1_1-1.1.0i-14.9.1
  • libopenssl1_1-debuginfo-1.1.0i-14.9.1
  • libopenssl-1_1-devel-1.1.0i-14.9.1
  • openssl-1_1-debugsource-1.1.0i-14.9.1
• Basesystem Module 15-SP1 (x86_64)
  • libopenssl-1_1-devel-32bit-1.1.0i-14.9.1
  • libopenssl1_1-32bit-1.1.0i-14.9.1
  • libopenssl1_1-hmac-32bit-1.1.0i-14.9.1
  • libopenssl1_1-32bit-debuginfo-1.1.0i-14.9.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1158499
• https://bugzilla.suse.com/show_bug.cgi?id=1160158
• https://bugzilla.suse.com/show_bug.cgi?id=1161198
• https://bugzilla.suse.com/show_bug.cgi?id=1161203
• https://bugzilla.suse.com/show_bug.cgi?id=1163569
• https://bugzilla.suse.com/show_bug.cgi?id=1165281
• https://bugzilla.suse.com/show_bug.cgi?id=1165534
• https://bugzilla.suse.com/show_bug.cgi?id=1166848
• https://bugzilla.suse.com/show_bug.cgi?id=1175847
• https://bugzilla.suse.com/show_bug.cgi?id=1177479
• https://jira.suse.com/browse/SLE-8789