Security update for compat-openssl098
SUSE Security Update: Security update for compat-openssl098
The openssl 0.9.8j compatibility package was updated to fix several
security vulnerabilities:
CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results
on some platforms, including x86_64.
CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state
where you get two separate reads performed - one for the header and
one for the body of the handshake record.
CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites
CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it
doesn't support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway. (This patch
only fixes the wrong condition)
This update also fixes regression caused by CVE-2014-0224.patch
(bnc#892403)
| Announcement ID: | SUSE-SU-2015:0305-1 |
| Rating: | moderate |
| References: | #892403 #912014 #912015 #912018 #912293 #912294 #912296 |
| Affected Products: |
An update that fixes 7 vulnerabilities is now available.
Description:
The openssl 0.9.8j compatibility package was updated to fix several
security vulnerabilities:
CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results
on some platforms, including x86_64.
CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state
where you get two separate reads performed - one for the header and
one for the body of the handshake record.
CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH
ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites
CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it
doesn't support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway. (This patch
only fixes the wrong condition)
This update also fixes regression caused by CVE-2014-0224.patch
(bnc#892403)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Legacy Software 12:
zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-78=1 - SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-78=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64):
- compat-openssl098-debugsource-0.9.8j-70.2
- libopenssl0_9_8-0.9.8j-70.2
- libopenssl0_9_8-32bit-0.9.8j-70.2
- libopenssl0_9_8-debuginfo-0.9.8j-70.2
- libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2
- SUSE Linux Enterprise Desktop 12 (x86_64):
- compat-openssl098-debugsource-0.9.8j-70.2
- libopenssl0_9_8-0.9.8j-70.2
- libopenssl0_9_8-32bit-0.9.8j-70.2
- libopenssl0_9_8-debuginfo-0.9.8j-70.2
- libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2
References:
- http://support.novell.com/security/cve/CVE-2014-0224.html
- http://support.novell.com/security/cve/CVE-2014-3570.html
- http://support.novell.com/security/cve/CVE-2014-3571.html
- http://support.novell.com/security/cve/CVE-2014-3572.html
- http://support.novell.com/security/cve/CVE-2014-8275.html
- http://support.novell.com/security/cve/CVE-2015-0204.html
- http://support.novell.com/security/cve/CVE-2015-0205.html
- https://bugzilla.suse.com/892403
- https://bugzilla.suse.com/912014
- https://bugzilla.suse.com/912015
- https://bugzilla.suse.com/912018
- https://bugzilla.suse.com/912293
- https://bugzilla.suse.com/912294
- https://bugzilla.suse.com/912296