Security update for openssl
SUSE Security Update: Security update for openssl
OpenSSL was updated to fix security issues and also provide FIPS
compliance.
Security issues fixed: CVE-2014-3570: Bignum squaring (BN_sqr) may have
produced incorrect results on some platforms, including x86_64.
CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen state
where you get two separate reads performed - one for the header and one
for the body of the handshake record.
CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues.
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.
CVE-2015-0205: Fix to prevent use of DH client certificates without
sending certificate verify message.
CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record.
Bugfixes:
- Do not advertise curves we don't support (bsc#906878)
FIPS changes:
- Make RSA2 key generation FIPS 186-4 compliant (bsc#901902)
- X9.31 rand method is not allowed in FIPS mode.
- Do not allow dynamic ENGINEs loading in FIPS mode.
- Added a locking hack which prevents hangs in FIPS mode (bsc#895129)
- In non-FIPS RSA key generation, mirror the maximum and minimum limiters
from FIPS rsa generation to meet Common Criteria and BSI TR requirements
on minimum and maximum distances between p and q. (bsc#908362)
- Do constant reseeding from /dev/urandom; for every random byte pulled,
seed with
one byte from /dev/urandom, also change RAND_poll to pull the full state
size of the SSLEAY DRBG to fulfil Common Criteria requirements.
(bsc#908372)
FIPS mode can be enabled by either using the environment variable
OPENSSL_FORCE_FIPS_MODE=1
or supplying the "fips=1" parameter on the kernel boot commandline.
Announcement ID: | SUSE-SU-2015:0205-1 |
Rating: | moderate |
References: | #855676 #895129 #901902 #906878 #908362 #908372 #912014 #912015 #912018 #912292 #912293 #912294 #912296 |
Affected Products: |
An update that solves 7 vulnerabilities and has 6 fixes is now available.
Description:
OpenSSL was updated to fix security issues and also provide FIPS
compliance.
Security issues fixed: CVE-2014-3570: Bignum squaring (BN_sqr) may have
produced incorrect results on some platforms, including x86_64.
CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen state
where you get two separate reads performed - one for the header and one
for the body of the handshake record.
CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues.
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.
CVE-2015-0205: Fix to prevent use of DH client certificates without
sending certificate verify message.
CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record.
Bugfixes:
- Do not advertise curves we don't support (bsc#906878)
FIPS changes:
- Make RSA2 key generation FIPS 186-4 compliant (bsc#901902)
- X9.31 rand method is not allowed in FIPS mode.
- Do not allow dynamic ENGINEs loading in FIPS mode.
- Added a locking hack which prevents hangs in FIPS mode (bsc#895129)
- In non-FIPS RSA key generation, mirror the maximum and minimum limiters
from FIPS rsa generation to meet Common Criteria and BSI TR requirements
on minimum and maximum distances between p and q. (bsc#908362)
- Do constant reseeding from /dev/urandom; for every random byte pulled,
seed with
one byte from /dev/urandom, also change RAND_poll to pull the full state
size of the SSLEAY DRBG to fulfil Common Criteria requirements.
(bsc#908372)
FIPS mode can be enabled by either using the environment variable
OPENSSL_FORCE_FIPS_MODE=1
or supplying the "fips=1" parameter on the kernel boot commandline.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-52
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-52
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-52
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
- libopenssl-devel-1.0.1i-17.1
- openssl-debuginfo-1.0.1i-17.1
- openssl-debugsource-1.0.1i-17.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
- libopenssl1_0_0-1.0.1i-17.1
- libopenssl1_0_0-debuginfo-1.0.1i-17.1
- libopenssl1_0_0-hmac-1.0.1i-17.1
- openssl-1.0.1i-17.1
- openssl-debuginfo-1.0.1i-17.1
- openssl-debugsource-1.0.1i-17.1
- SUSE Linux Enterprise Server 12 (s390x x86_64):
- libopenssl1_0_0-32bit-1.0.1i-17.1
- libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
- libopenssl1_0_0-hmac-32bit-1.0.1i-17.1
- SUSE Linux Enterprise Server 12 (noarch):
- openssl-doc-1.0.1i-17.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
- libopenssl1_0_0-1.0.1i-17.1
- libopenssl1_0_0-32bit-1.0.1i-17.1
- libopenssl1_0_0-debuginfo-1.0.1i-17.1
- libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
- openssl-1.0.1i-17.1
- openssl-debuginfo-1.0.1i-17.1
- openssl-debugsource-1.0.1i-17.1
References:
- http://support.novell.com/security/cve/CVE-2014-3570.html
- http://support.novell.com/security/cve/CVE-2014-3571.html
- http://support.novell.com/security/cve/CVE-2014-3572.html
- http://support.novell.com/security/cve/CVE-2014-8275.html
- http://support.novell.com/security/cve/CVE-2015-0204.html
- http://support.novell.com/security/cve/CVE-2015-0205.html
- http://support.novell.com/security/cve/CVE-2015-0206.html
- https://bugzilla.suse.com/show_bug.cgi?id=855676
- https://bugzilla.suse.com/show_bug.cgi?id=895129
- https://bugzilla.suse.com/show_bug.cgi?id=901902
- https://bugzilla.suse.com/show_bug.cgi?id=906878
- https://bugzilla.suse.com/show_bug.cgi?id=908362
- https://bugzilla.suse.com/show_bug.cgi?id=908372
- https://bugzilla.suse.com/show_bug.cgi?id=912014
- https://bugzilla.suse.com/show_bug.cgi?id=912015
- https://bugzilla.suse.com/show_bug.cgi?id=912018
- https://bugzilla.suse.com/show_bug.cgi?id=912292
- https://bugzilla.suse.com/show_bug.cgi?id=912293
- https://bugzilla.suse.com/show_bug.cgi?id=912294
- https://bugzilla.suse.com/show_bug.cgi?id=912296