CVE-2016-2178

Upstream information

CVE-2016-2178 at MITRE

Description

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

SUSE information

CVSS v2 Scores
	National Vulnerability Database	SUSE
Base Score	2.11	1.17
Vector	AV:L/AC:L/Au:N/C:P/I:N/A:N	AV:L/AC:H/Au:N/C:P/I:N/A:N
Access Vector	Local	Local
Access Complexity	Low	High
Authentication	None	None
Confidentiality Impact	Partial	Partial
Integrity Impact	None	None
Availability Impact	None	None

CVSS v3 Scores
	National Vulnerability Database
Base Score	5.5
Vector	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Access Vector	Local
Access Complexity	Low
Privileges Required	Low
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None

This issue is currently rated as having moderate severity.

SUSE Bugzilla entries: 983249 [RESOLVED / FIXED], 983519 [RESOLVED / DUPLICATE], 999665 [RESOLVED / FIXED]

SUSE Security Advisories:

SUSE-SU-2016:2387-1, published Mon, 26 Sep 2016 19:10:10 +0200 (CEST)
SUSE-SU-2016:2394-1, published Tue, 27 Sep 2016 19:11:34 +0200 (CEST)
SUSE-SU-2016:2458-1, published Wed, 5 Oct 2016 18:09:41 +0200 (CEST)
SUSE-SU-2016:2468-1, published Thu, 6 Oct 2016 20:09:29 +0200 (CEST)
SUSE-SU-2016:2469-1, published Thu, 6 Oct 2016 20:11:44 +0200 (CEST)
SUSE-SU-2016:2470-1, published Thu, 6 Oct 2016 20:14:21 +0200 (CEST)
SUSE-SU-2016:2470-2, published Tue, 1 Nov 2016 16:19:35 +0100 (CET)
openSUSE-SU-2016:2391-1, published Tue, 27 Sep 2016 11:09:12 +0200 (CEST)
openSUSE-SU-2016:2407-1, published Wed, 28 Sep 2016 12:10:35 +0200 (CEST)
openSUSE-SU-2016:2496-1, published Tue, 11 Oct 2016 19:20:03 +0200 (CEST)
openSUSE-SU-2016:2537-1, published Fri, 14 Oct 2016 15:09:07 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise Desktop 12 SP1	`compat-openssl098 >= 0.9.8j-102.1` `libopenssl0_9_8 >= 0.9.8j-102.1` `libopenssl0_9_8-32bit >= 0.9.8j-102.1` `libopenssl1_0_0 >= 1.0.1i-52.1` `libopenssl1_0_0-32bit >= 1.0.1i-52.1` `openssl >= 1.0.1i-52.1`	Patchnames: SUSE-SLE-DESKTOP-12-SP1-2016-1393 SUSE-SLE-DESKTOP-12-SP1-2016-1441
SUSE Linux Enterprise Desktop 12 SP2	`libopenssl-devel >= 1.0.2j-55.1` `libopenssl0_9_8 >= 0.9.8j-102.1` `libopenssl0_9_8-32bit >= 0.9.8j-102.1` `libopenssl1_0_0 >= 1.0.2j-55.1` `libopenssl1_0_0-32bit >= 1.0.2j-55.1` `openssl >= 1.0.2j-55.1`	Patchnames: SUSE Linux Enterprise Desktop 12 SP2 GA libopenssl-devel SUSE Linux Enterprise Desktop 12 SP2 GA libopenssl0_9_8
SUSE Linux Enterprise Module for Legacy Software 12	`compat-openssl098 >= 0.9.8j-102.1` `libopenssl0_9_8 >= 0.9.8j-102.1` `libopenssl0_9_8-32bit >= 0.9.8j-102.1`	Patchnames: SUSE-SLE-Module-Legacy-12-2016-1441
SUSE Linux Enterprise Module for Web Scripting 12	`nodejs4 >= 4.6.0-8.1` `nodejs4-devel >= 4.6.0-8.1` `nodejs4-docs >= 4.6.0-8.1` `npm4 >= 4.6.0-8.1`	Patchnames: SUSE-SLE-Module-Web-Scripting-12-2016-1439
SUSE Linux Enterprise Point of Sale 11 SP3	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: sleposp3-openssl-12774
SUSE Linux Enterprise Server 11 SP2-LTSS	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: slessp2-openssl-12774
SUSE Linux Enterprise Server 11 SP3-LTSS	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: slessp3-openssl-12774
SUSE Linux Enterprise Server 11 SP4	`libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-x86 >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: slessp4-openssl-12774
SUSE Linux Enterprise Server 11-SECURITY	`libopenssl1-devel >= 1.0.1g-0.52.1` `libopenssl1_0_0 >= 1.0.1g-0.52.1` `libopenssl1_0_0-32bit >= 1.0.1g-0.52.1` `libopenssl1_0_0-x86 >= 1.0.1g-0.52.1` `openssl1 >= 1.0.1g-0.52.1` `openssl1-doc >= 1.0.1g-0.52.1`	Patchnames: secsp3-openssl1-12777
SUSE Linux Enterprise Server 12 SP1	`libopenssl1_0_0 >= 1.0.1i-52.1` `libopenssl1_0_0-32bit >= 1.0.1i-52.1` `libopenssl1_0_0-hmac >= 1.0.1i-52.1` `libopenssl1_0_0-hmac-32bit >= 1.0.1i-52.1` `openssl >= 1.0.1i-52.1` `openssl-doc >= 1.0.1i-52.1`	Patchnames: SUSE-SLE-SERVER-12-SP1-2016-1393
SUSE Linux Enterprise Server 12 SP2	`libopenssl-devel >= 1.0.2j-55.1` `libopenssl1_0_0 >= 1.0.2j-55.1` `libopenssl1_0_0-32bit >= 1.0.2j-55.1` `libopenssl1_0_0-hmac >= 1.0.2j-55.1` `libopenssl1_0_0-hmac-32bit >= 1.0.2j-55.1` `openssl >= 1.0.2j-55.1` `openssl-doc >= 1.0.2j-55.1`	Patchnames: SUSE Linux Enterprise Server 12 SP2 GA libopenssl-devel
SUSE Linux Enterprise Server 12-LTSS	`libopenssl1_0_0 >= 1.0.1i-27.21.1` `libopenssl1_0_0-32bit >= 1.0.1i-27.21.1` `libopenssl1_0_0-hmac >= 1.0.1i-27.21.1` `libopenssl1_0_0-hmac-32bit >= 1.0.1i-27.21.1` `openssl >= 1.0.1i-27.21.1` `openssl-doc >= 1.0.1i-27.21.1`	Patchnames: SUSE-SLE-SERVER-12-2016-1386
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2	`libopenssl-devel >= 1.0.2j-55.1` `libopenssl1_0_0 >= 1.0.2j-55.1` `libopenssl1_0_0-hmac >= 1.0.2j-55.1` `openssl >= 1.0.2j-55.1` `openssl-doc >= 1.0.2j-55.1`	Patchnames: SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 GA libopenssl-devel
SUSE Linux Enterprise Software Development Kit 11 SP4	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl-devel-32bit >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2`	Patchnames: sdksp4-openssl-12774
SUSE Linux Enterprise Software Development Kit 12 SP1	`libopenssl-devel >= 1.0.1i-52.1` `openssl >= 1.0.1i-52.1`	Patchnames: SUSE-SLE-SDK-12-SP1-2016-1393
SUSE Linux Enterprise Software Development Kit 12 SP2	`libopenssl-devel >= 1.0.2j-55.1`	Patchnames: SUSE Linux Enterprise Software Development Kit 12 SP2 GA libopenssl-devel
SUSE Linux Enterprise for SAP 12	`libopenssl1_0_0 >= 1.0.1i-27.21.1` `libopenssl1_0_0-32bit >= 1.0.1i-27.21.1` `libopenssl1_0_0-hmac >= 1.0.1i-27.21.1` `libopenssl1_0_0-hmac-32bit >= 1.0.1i-27.21.1` `openssl >= 1.0.1i-27.21.1` `openssl-doc >= 1.0.1i-27.21.1`	Patchnames: SUSE-SLE-SAP-12-2016-1386
SUSE Linux Enterprise for SAP 12 SP1	`compat-openssl098 >= 0.9.8j-102.1` `libopenssl0_9_8 >= 0.9.8j-102.1`	Patchnames: SUSE-SLE-SAP-12-SP1-2016-1441
SUSE Manager 2.1	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: sleman21-openssl-12774
SUSE Manager Proxy 2.1	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: slemap21-openssl-12774
SUSE OpenStack Cloud 5	`libopenssl-devel >= 0.9.8j-0.102.2` `libopenssl0_9_8 >= 0.9.8j-0.102.2` `libopenssl0_9_8-32bit >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac >= 0.9.8j-0.102.2` `libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2` `openssl-doc >= 0.9.8j-0.102.2`	Patchnames: sleclo50sp3-openssl-12774
SUSE Studio Onsite 1.3	`libopenssl-devel >= 0.9.8j-0.102.2` `openssl >= 0.9.8j-0.102.2`	Patchnames: slestso13-openssl-12774
openSUSE 13.2	`libopenssl-devel >= 1.0.1k-2.39.1` `libopenssl-devel-32bit >= 1.0.1k-2.39.1` `libopenssl1_0_0 >= 1.0.1k-2.39.1` `libopenssl1_0_0-32bit >= 1.0.1k-2.39.1` `libopenssl1_0_0-debuginfo >= 1.0.1k-2.39.1` `libopenssl1_0_0-debuginfo-32bit >= 1.0.1k-2.39.1` `libopenssl1_0_0-hmac >= 1.0.1k-2.39.1` `libopenssl1_0_0-hmac-32bit >= 1.0.1k-2.39.1` `nodejs >= 4.6.0-24.2` `nodejs-debuginfo >= 4.6.0-24.2` `nodejs-debugsource >= 4.6.0-24.2` `nodejs-devel >= 4.6.0-24.2` `nodejs-doc >= 4.6.0-24.2` `openssl >= 1.0.1k-2.39.1` `openssl-debuginfo >= 1.0.1k-2.39.1` `openssl-debugsource >= 1.0.1k-2.39.1` `openssl-doc >= 1.0.1k-2.39.1`	Patchnames: openSUSE-2016-1130 openSUSE-2016-1172
openSUSE Leap 42.1	`compat-openssl098 >= 0.9.8j-15.1` `compat-openssl098-debugsource >= 0.9.8j-15.1` `libopenssl-devel >= 1.0.1i-18.1` `libopenssl-devel-32bit >= 1.0.1i-18.1` `libopenssl0_9_8 >= 0.9.8j-15.1` `libopenssl0_9_8-32bit >= 0.9.8j-15.1` `libopenssl0_9_8-debuginfo >= 0.9.8j-15.1` `libopenssl0_9_8-debuginfo-32bit >= 0.9.8j-15.1` `libopenssl1_0_0 >= 1.0.1i-18.1` `libopenssl1_0_0-32bit >= 1.0.1i-18.1` `libopenssl1_0_0-debuginfo >= 1.0.1i-18.1` `libopenssl1_0_0-debuginfo-32bit >= 1.0.1i-18.1` `libopenssl1_0_0-hmac >= 1.0.1i-18.1` `libopenssl1_0_0-hmac-32bit >= 1.0.1i-18.1` `nodejs >= 4.6.0-33.1` `nodejs-debuginfo >= 4.6.0-33.1` `nodejs-debugsource >= 4.6.0-33.1` `nodejs-devel >= 4.6.0-33.1` `nodejs-doc >= 4.6.0-24.2` `nodejs-docs >= 4.6.0-33.1` `npm >= 4.6.0-33.1` `openssl >= 1.0.1i-18.1` `openssl-debuginfo >= 1.0.1i-18.1` `openssl-debugsource >= 1.0.1i-18.1` `openssl-doc >= 1.0.1i-18.1`	Patchnames: openSUSE-2016-1134 openSUSE-2016-1172 openSUSE-2016-1189
openSUSE Leap 42.2	`libopenssl-devel >= 1.0.2j-2.2` `libopenssl1_0_0 >= 1.0.2j-2.2` `libopenssl1_0_0-32bit >= 1.0.2j-2.2` `openssl >= 1.0.2j-2.2`	Patchnames: openSUSE Leap 42.2 GA libopenssl-devel
openSUSE Tumbleweed	`libopenssl-devel >= 1.0.2j-2.2` `libopenssl-devel-32bit >= 1.0.2j-2.2` `libopenssl1_0_0 >= 1.0.2j-2.2` `libopenssl1_0_0-32bit >= 1.0.2j-2.2` `libopenssl1_0_0-hmac >= 1.0.2j-2.2` `libopenssl1_0_0-hmac-32bit >= 1.0.2j-2.2` `nodejs4 >= 4.7.0-1.1` `nodejs4-devel >= 4.7.0-1.1` `nodejs4-docs >= 4.7.0-1.1` `npm4 >= 4.7.0-1.1` `openssl >= 1.0.2j-2.2` `openssl-doc >= 1.0.2j-2.2`	Patchnames: openSUSE Tumbleweed GA libopenssl-devel openSUSE Tumbleweed GA nodejs4

List of planned updates

The following information is the current evaluation information for this security issue. It might neither be accurate nor complete, Use at own risk.

Product(s)	Source package
SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server for SAP 11 SP3 SUSE Linux Enterprise Server for SAP 11 SP4	compat-openssl097g
SUSE Linux Enterprise Server 10 SP4 LTSS	openssl
SUSE Linux Enterprise Server 10 SP4 LTSS	openssl