Security update for OpenSSL

SUSE Security Update: Security update for OpenSSL
Announcement ID: SUSE-SU-2013:1386-1
Rating: moderate
References: #739719 #758060 #802648 #802746
Affected Products:

  • An update that contains security fixes can now be installed.


    OpenSSL on SUSE Linux Enterprise Server 9 LTSS has been
    updated to receive a roll up of security fixes from the
    last year.

    The following issues have been fixed:


    CVE-2013-0169: The TLS protocol and the DTLS
    protocol, as used in OpenSSL and other products, did not
    properly consider timing side-channel attacks on a MAC
    check requirement during the processing of malformed CBC
    padding, which allowed remote attackers to conduct
    distinguishing attacks and plaintext-recovery attacks via
    statistical analysis of timing data for crafted packets,
    aka the "Lucky Thirteen" issue.


    CVE-2013-0166: OpenSSL did not properly perform
    signature verification for OCSP responses, which allowed
    remote OCSP servers to cause a denial of service (NULL
    pointer dereference and application crash) via an invalid


    CVE-2012-2110 CVE-2012-2131: The asn1_d2i_read_bio
    function in crypto/asn1/a_d2i_fp.c in OpenSSL did not
    properly interpret integer data, which allowed remote
    attackers to conduct buffer overflow attacks, and cause a
    denial of service (memory corruption) or possibly have
    unspecified other impact, via crafted DER data, as
    demonstrated by an X.509 certificate or an RSA public key.


    CVE-2011-4576: The SSL 3.0 implementation in OpenSSL
    did not properly initialize data structures for block
    cipher padding, which might have allowed remote attackers
    to obtain sensitive information by decrypting the padding
    data sent by an SSL peer.


    CVE-2011-4619: The Server Gated Cryptography (SGC)
    implementation in OpenSSL did not properly handle handshake
    restarts, which allowed remote attackers to cause a denial
    of service (CPU consumption) via unspecified vectors.

    Package List:

    • SUSE CORE 9 (i586 s390 s390x x86_64):
    • openssl-0.9.7d-15.48
    • openssl-devel-0.9.7d-15.48
    • openssl-doc-0.9.7d-15.48
    • SUSE CORE 9 (x86_64):
    • openssl-32bit-9-201308121627
    • openssl-devel-32bit-9-201308121627
    • SUSE CORE 9 (s390x):
    • openssl-32bit-9-201308121642
    • openssl-devel-32bit-9-201308121642