Security update for openssl-3, libpulp, ulp-macros

Announcement ID: SUSE-SU-2025:20014-1
Release Date: 2025-02-03T08:48:39Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2024-2511 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-2511 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-4603 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2024-4603 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2024-4741 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2024-4741 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-5535 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-6119 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2024-6119 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-6119 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-6119 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • SUSE Linux Micro 6.0

An update that solves five vulnerabilities and has 22 fixes can now be installed.

Description:

This update for openssl-3, libpulp, ulp-macros fixes the following issues:

openssl-3: - CVE-2024-6119: possible denial of service in X.509 name checks (bsc#1229465) - CVE-2024-5535: SSL_select_next_proto buffer overread (bsc#1227138) - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers (bsc#1225551) - CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388) - CVE-2024-2511: Fix unconstrained session cache growth in TLSv1.3 (bsc#1222548) - FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365) - FIPS: RSA keygen PCT requirements. (bsc#1221760, bsc#1221753) - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode. (bsc#1220523) - FIPS: Port openssl to use jitterentropy (bsc#1220523) - FIPS: Block non-Approved Elliptic Curves (bsc#1221786) - FIPS: Service Level Indicator (bsc#1221365) - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module. (bsc#1221751) - FIPS: Add required selftests (bsc#1221760) - FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821) - FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827) - FIPS: Zeroization is required (bsc#1221752) - FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696) - FIPS: NIST SP 800-56Brev2 (bsc#1221824) - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787) - FIPS: Port openssl to use jitterentropy (bsc#1220523) - FIPS: NIST SP 800-56Arev3 (bsc#1221822) - FIPS: Error state has to be enforced (bsc#1221753) - Build with enabled sm2 and sm4 support (bsc#1222899) - fix non-reproducible build issue - Fix HDKF key derivation (bsc#1225291) - Enable livepatching support (bsc#1223428)

libpulp: - Update package with libpulp-0.3.5 * Change .so load policy from lazy to eager. * Fix patch of references when mprotect is enabled. * Fix tramposed calloc arguments. * Fix crash of ulp packer on empty lines.

  • Disabled ptrace_scope through aaa_base-enable-ptrace package (bsc#1221763).

  • Update package with libpulp-0.3.4:

    • Add debuginfo into ulp extract.

  • Disabled ptrace_scope when building the package (bsc#1221763).

  • Update package with libpulp-0.3.3:

    • Fixed a race condition when process list is empty.
    • Removed "Unable to get section data" error message (bsc#1223306).
    • Bumped asunsafe_conversion attempts from 100 to 2000.
    • Fixed banner test on clang-18.
    • Check if ptrace_scope is enabled when attempting a ptrace operation (bsc#1221763).

  • Update package with libpulp-0.3.1:

    • Add timestamp information on ulp patches.

ulp-macros: - Initial release.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.0
    zypper in -t patch SUSE-SLE-Micro-6.0-58=1

Package List:

  • SUSE Linux Micro 6.0 (x86_64)
    • libpulp0-debuginfo-0.3.5-1.1
    • libpulp-tools-debuginfo-0.3.5-1.1
    • libpulp-debugsource-0.3.5-1.1
    • libpulp0-0.3.5-1.1
    • libpulp-tools-0.3.5-1.1
  • SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    • libopenssl-3-fips-provider-debuginfo-3.1.4-6.1
    • openssl-3-debuginfo-3.1.4-6.1
    • jitterentropy-devel-3.4.1-3.1
    • libopenssl3-3.1.4-6.1
    • openssl-3-debugsource-3.1.4-6.1
    • openssl-3-3.1.4-6.1
    • libopenssl-3-fips-provider-3.1.4-6.1
    • libjitterentropy3-3.4.1-3.1
    • libopenssl-3-devel-3.1.4-6.1
    • libopenssl3-debuginfo-3.1.4-6.1

References: