Upstream information

CVE-2016-0704 at MITRE

Description

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.30
Vector AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 5.9
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Vector Network
Access Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact None
Availability Impact None
SUSE Bugzilla entries: 968044 [RESOLVED / FIXED], 968053 [RESOLVED / FIXED], 986238 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 12
  • compat-openssl098 >= 0.9.8j-94.1
  • libopenssl0_9_8 >= 0.9.8j-94.1
  • libopenssl0_9_8-32bit >= 0.9.8j-94.1
  • libopenssl1_0_0 >= 1.0.1i-27.13.1
  • libopenssl1_0_0-32bit >= 1.0.1i-27.13.1
  • openssl >= 1.0.1i-27.13.1
Patchnames:
SUSE-SLE-DESKTOP-12-2016-352
SUSE-SLE-DESKTOP-12-2016-367
SUSE Linux Enterprise Desktop 12 SP1
  • compat-openssl098 >= 0.9.8j-94.1
  • libopenssl0_9_8 >= 0.9.8j-94.1
  • libopenssl0_9_8-32bit >= 0.9.8j-94.1
  • libopenssl1_0_0 >= 1.0.1i-44.1
  • libopenssl1_0_0-32bit >= 1.0.1i-44.1
  • openssl >= 1.0.1i-44.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP1-2016-353
SUSE-SLE-DESKTOP-12-SP1-2016-367
SUSE Linux Enterprise Module for Containers 12
  • sles11sp4-docker-image >= 1.1.1-20160304104123
  • sles12-docker-image >= 1.1.1-20160307082632
  • sles12sp1-docker-image >= 1.0.4-20160308170633
Patchnames:
SUSE-SLE-Module-Containers-12-2016-440
SUSE-SLE-Module-Containers-12-2016-457
SUSE-SLE-Module-Containers-12-2016-459
SUSE Linux Enterprise Module for Legacy Software 12
  • compat-openssl098 >= 0.9.8j-94.1
  • libopenssl0_9_8 >= 0.9.8j-94.1
  • libopenssl0_9_8-32bit >= 0.9.8j-94.1
Patchnames:
SUSE-SLE-Module-Legacy-12-2016-367
SUSE Linux Enterprise Server 11-SECURITY
  • libopenssl1-devel >= 1.0.1g-0.40.1
  • libopenssl1_0_0 >= 1.0.1g-0.40.1
  • libopenssl1_0_0-32bit >= 1.0.1g-0.40.1
  • libopenssl1_0_0-x86 >= 1.0.1g-0.40.1
  • openssl1 >= 1.0.1g-0.40.1
  • openssl1-doc >= 1.0.1g-0.40.1
Patchnames:
secsp3-openssl1-12429
SUSE Linux Enterprise Server 12
  • libopenssl1_0_0 >= 1.0.1i-27.13.1
  • libopenssl1_0_0-32bit >= 1.0.1i-27.13.1
  • libopenssl1_0_0-hmac >= 1.0.1i-27.13.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.1i-27.13.1
  • openssl >= 1.0.1i-27.13.1
  • openssl-doc >= 1.0.1i-27.13.1
Patchnames:
SUSE-SLE-SERVER-12-2016-352
SUSE Linux Enterprise Server 12 SP1
  • libopenssl1_0_0 >= 1.0.1i-44.1
  • libopenssl1_0_0-32bit >= 1.0.1i-44.1
  • libopenssl1_0_0-hmac >= 1.0.1i-44.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.1i-44.1
  • openssl >= 1.0.1i-44.1
  • openssl-doc >= 1.0.1i-44.1
Patchnames:
SUSE-SLE-SERVER-12-SP1-2016-353
SUSE Linux Enterprise Software Development Kit 12
  • libopenssl-devel >= 1.0.1i-27.13.1
  • openssl >= 1.0.1i-27.13.1
Patchnames:
SUSE-SLE-SDK-12-2016-352
SUSE Linux Enterprise Software Development Kit 12 SP1
  • libopenssl-devel >= 1.0.1i-44.1
  • openssl >= 1.0.1i-44.1
Patchnames:
SUSE-SLE-SDK-12-SP1-2016-353
SUSE Linux Enterprise for SAP 12 SP1
  • compat-openssl098 >= 0.9.8j-94.1
  • libopenssl0_9_8 >= 0.9.8j-94.1
Patchnames:
SUSE-SLE-SAP-12-SP1-2016-367
SUSE Linux Enterprise Server 10 SP4 LTSS for x86
  • openssl >= 0.9.8a-18.94.2
  • openssl-devel >= 0.9.8a-18.94.2
  • openssl-doc >= 0.9.8a-18.94.2
Builds
ZYPP Patch Nr: 9235
SUSE Linux Enterprise Server 10 SP4 LTSS for AMD64 and Intel EM64T
SUSE Linux Enterprise Server 10 SP4 LTSS for IBM zSeries 64bit
  • openssl >= 0.9.8a-18.94.2
  • openssl-32bit >= 0.9.8a-18.94.2
  • openssl-devel >= 0.9.8a-18.94.2
  • openssl-devel-32bit >= 0.9.8a-18.94.2
  • openssl-doc >= 0.9.8a-18.94.2
Builds
ZYPP Patch Nr: 9235
openSUSE 13.1
  • libopenssl-devel >= 1.0.1k-11.84.1
  • libopenssl-devel-32bit >= 1.0.1k-11.84.1
  • libopenssl1_0_0 >= 1.0.1k-11.84.1
  • libopenssl1_0_0-32bit >= 1.0.1k-11.84.1
  • libopenssl1_0_0-debuginfo >= 1.0.1k-11.84.1
  • libopenssl1_0_0-debuginfo-32bit >= 1.0.1k-11.84.1
  • openssl >= 1.0.1k-11.84.1
  • openssl-debuginfo >= 1.0.1k-11.84.1
  • openssl-debugsource >= 1.0.1k-11.84.1
  • openssl-doc >= 1.0.1k-11.84.1
Patchnames:
2016-292
openSUSE Leap 42.1
  • compat-openssl098 >= 0.9.8j-9.1
  • compat-openssl098-debugsource >= 0.9.8j-9.1
  • libopenssl-devel >= 1.0.1i-12.1
  • libopenssl-devel-32bit >= 1.0.1i-12.1
  • libopenssl0_9_8 >= 0.9.8j-9.1
  • libopenssl0_9_8-32bit >= 0.9.8j-9.1
  • libopenssl0_9_8-debuginfo >= 0.9.8j-9.1
  • libopenssl0_9_8-debuginfo-32bit >= 0.9.8j-9.1
  • libopenssl1_0_0 >= 1.0.1i-12.1
  • libopenssl1_0_0-32bit >= 1.0.1i-12.1
  • libopenssl1_0_0-debuginfo >= 1.0.1i-12.1
  • libopenssl1_0_0-debuginfo-32bit >= 1.0.1i-12.1
  • libopenssl1_0_0-hmac >= 1.0.1i-12.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.1i-12.1
  • openssl >= 1.0.1i-12.1
  • openssl-debuginfo >= 1.0.1i-12.1
  • openssl-debugsource >= 1.0.1i-12.1
  • openssl-doc >= 1.0.1i-12.1
Patchnames:
openSUSE-2016-289
openSUSE-2016-327