Security update for OpenSSL
|References:||#739719 #758060 #802648 #802746|
An update that contains security fixes can now be installed.
OpenSSL on SUSE Linux Enterprise Server 9 LTSS has been
updated to receive a roll up of security fixes from the
The following issues have been fixed:
CVE-2013-0169: The TLS protocol and the DTLS
protocol, as used in OpenSSL and other products, did not
properly consider timing side-channel attacks on a MAC
check requirement during the processing of malformed CBC
padding, which allowed remote attackers to conduct
distinguishing attacks and plaintext-recovery attacks via
statistical analysis of timing data for crafted packets,
aka the "Lucky Thirteen" issue.
CVE-2013-0166: OpenSSL did not properly perform
signature verification for OCSP responses, which allowed
remote OCSP servers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid
CVE-2012-2110 CVE-2012-2131: The asn1_d2i_read_bio
function in crypto/asn1/a_d2i_fp.c in OpenSSL did not
properly interpret integer data, which allowed remote
attackers to conduct buffer overflow attacks, and cause a
denial of service (memory corruption) or possibly have
unspecified other impact, via crafted DER data, as
demonstrated by an X.509 certificate or an RSA public key.
CVE-2011-4576: The SSL 3.0 implementation in OpenSSL
did not properly initialize data structures for block
cipher padding, which might have allowed remote attackers
to obtain sensitive information by decrypting the padding
data sent by an SSL peer.
CVE-2011-4619: The Server Gated Cryptography (SGC)
implementation in OpenSSL did not properly handle handshake
restarts, which allowed remote attackers to cause a denial
of service (CPU consumption) via unspecified vectors.
- SUSE CORE 9 (i586 s390 s390x x86_64):
- SUSE CORE 9 (x86_64):
- SUSE CORE 9 (s390x):