openSUSE Security Update: Security update for openssl
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2015:0130-1
Rating:             important
References:         #911399 #912014 #912015 #912018 #912292 #912293 
                    #912294 #912296 
Cross-References:   CVE-2014-3569 CVE-2014-3570 CVE-2014-3571
                    CVE-2014-3572 CVE-2014-8275 CVE-2015-0204
                    CVE-2015-0205 CVE-2015-0206
Affected Products:
                    openSUSE 13.2
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:


   openssl was updated to 1.0.1k to fix various security issues and bugs.

   More information can be found in the openssl advisory:
   
   Following issues were fixed:

   * CVE-2014-3570 (bsc#912296): Bignum squaring (BN_sqr) may have produced
     incorrect results on some platforms, including x86_64.

   * CVE-2014-3571 (bsc#912294): Fixed crash in dtls1_get_record whilst in
     the listen state where you get two separate reads performed - one for
     the header and one for the body of the handshake record.

   * CVE-2014-3572 (bsc#912015): Don't accept a handshake using an ephemeral
     ECDH ciphersuites with the server key exchange message omitted.

   * CVE-2014-8275 (bsc#912018): Fixed various certificate fingerprint issues.

   * CVE-2015-0204 (bsc#912014): Only allow ephemeral RSA keys in export
     ciphersuites

   * CVE-2015-0205 (bsc#912293): A fixwas added to prevent use of DH client
     certificates without sending certificate verify message.

   * CVE-2015-0206 (bsc#912292): A memory leak was fixed in
     dtls1_buffer_record.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2015-67

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2015-67

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.2 (i586 x86_64):

      libopenssl-devel-1.0.1k-2.16.2
      libopenssl1_0_0-1.0.1k-2.16.2
      libopenssl1_0_0-debuginfo-1.0.1k-2.16.2
      libopenssl1_0_0-hmac-1.0.1k-2.16.2
      openssl-1.0.1k-2.16.2
      openssl-debuginfo-1.0.1k-2.16.2
      openssl-debugsource-1.0.1k-2.16.2

   - openSUSE 13.2 (x86_64):

      libopenssl-devel-32bit-1.0.1k-2.16.2
      libopenssl1_0_0-32bit-1.0.1k-2.16.2
      libopenssl1_0_0-debuginfo-32bit-1.0.1k-2.16.2
      libopenssl1_0_0-hmac-32bit-1.0.1k-2.16.2

   - openSUSE 13.2 (noarch):

      openssl-doc-1.0.1k-2.16.2

   - openSUSE 13.1 (i586 x86_64):

      libopenssl-devel-1.0.1k-11.64.2
      libopenssl1_0_0-1.0.1k-11.64.2
      libopenssl1_0_0-debuginfo-1.0.1k-11.64.2
      openssl-1.0.1k-11.64.2
      openssl-debuginfo-1.0.1k-11.64.2
      openssl-debugsource-1.0.1k-11.64.2

   - openSUSE 13.1 (x86_64):

      libopenssl-devel-32bit-1.0.1k-11.64.2
      libopenssl1_0_0-32bit-1.0.1k-11.64.2
      libopenssl1_0_0-debuginfo-32bit-1.0.1k-11.64.2

   - openSUSE 13.1 (noarch):

      openssl-doc-1.0.1k-11.64.2


References:

   https://www.suse.com/security/cve/CVE-2014-3569.html
   https://www.suse.com/security/cve/CVE-2014-3570.html
   https://www.suse.com/security/cve/CVE-2014-3571.html
   https://www.suse.com/security/cve/CVE-2014-3572.html
   https://www.suse.com/security/cve/CVE-2014-8275.html
   https://www.suse.com/security/cve/CVE-2015-0204.html
   https://www.suse.com/security/cve/CVE-2015-0205.html
   https://www.suse.com/security/cve/CVE-2015-0206.html
   https://bugzilla.suse.com/show_bug.cgi?id=911399
   https://bugzilla.suse.com/show_bug.cgi?id=912014
   https://bugzilla.suse.com/show_bug.cgi?id=912015
   https://bugzilla.suse.com/show_bug.cgi?id=912018
   https://bugzilla.suse.com/show_bug.cgi?id=912292
   https://bugzilla.suse.com/show_bug.cgi?id=912293
   https://bugzilla.suse.com/show_bug.cgi?id=912294
   https://bugzilla.suse.com/show_bug.cgi?id=912296

openSUSE: 2015:0130-1: important: openssl

January 23, 2015
An update that fixes 8 vulnerabilities is now available

Description

openssl was updated to 1.0.1k to fix various security issues and bugs. More information can be found in the openssl advisory: Following issues were fixed: * CVE-2014-3570 (bsc#912296): Bignum squaring (BN_sqr) may have produced incorrect results on some platforms, including x86_64. * CVE-2014-3571 (bsc#912294): Fixed crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record. * CVE-2014-3572 (bsc#912015): Don't accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. * CVE-2014-8275 (bsc#912018): Fixed various certificate fingerprint issues. * CVE-2015-0204 (bsc#912014): Only allow ephemeral RSA keys in export ciphersuites * CVE-2015-0205 (bsc#912293): A fixwas added to prevent use of DH client certificates without sending certificate verify message. * CVE-2015-0206 (bsc#912292): A memory leak was fixed in dtls1_buffer_record.

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-67 - openSUSE 13.1: zypper in -t patch openSUSE-2015-67 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 13.2 (i586 x86_64): libopenssl-devel-1.0.1k-2.16.2 libopenssl1_0_0-1.0.1k-2.16.2 libopenssl1_0_0-debuginfo-1.0.1k-2.16.2 libopenssl1_0_0-hmac-1.0.1k-2.16.2 openssl-1.0.1k-2.16.2 openssl-debuginfo-1.0.1k-2.16.2 openssl-debugsource-1.0.1k-2.16.2 - openSUSE 13.2 (x86_64): libopenssl-devel-32bit-1.0.1k-2.16.2 libopenssl1_0_0-32bit-1.0.1k-2.16.2 libopenssl1_0_0-debuginfo-32bit-1.0.1k-2.16.2 libopenssl1_0_0-hmac-32bit-1.0.1k-2.16.2 - openSUSE 13.2 (noarch): openssl-doc-1.0.1k-2.16.2 - openSUSE 13.1 (i586 x86_64): libopenssl-devel-1.0.1k-11.64.2 libopenssl1_0_0-1.0.1k-11.64.2 libopenssl1_0_0-debuginfo-1.0.1k-11.64.2 openssl-1.0.1k-11.64.2 openssl-debuginfo-1.0.1k-11.64.2 openssl-debugsource-1.0.1k-11.64.2 - openSUSE 13.1 (x86_64): libopenssl-devel-32bit-1.0.1k-11.64.2 libopenssl1_0_0-32bit-1.0.1k-11.64.2 libopenssl1_0_0-debuginfo-32bit-1.0.1k-11.64.2 - openSUSE 13.1 (noarch): openssl-doc-1.0.1k-11.64.2


References

https://www.suse.com/security/cve/CVE-2014-3569.html https://www.suse.com/security/cve/CVE-2014-3570.html https://www.suse.com/security/cve/CVE-2014-3571.html https://www.suse.com/security/cve/CVE-2014-3572.html https://www.suse.com/security/cve/CVE-2014-8275.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0205.html https://www.suse.com/security/cve/CVE-2015-0206.html https://bugzilla.suse.com/show_bug.cgi?id=911399 https://bugzilla.suse.com/show_bug.cgi?id=912014 https://bugzilla.suse.com/show_bug.cgi?id=912015 https://bugzilla.suse.com/show_bug.cgi?id=912018 https://bugzilla.suse.com/show_bug.cgi?id=912292 https://bugzilla.suse.com/show_bug.cgi?id=912293 https://bugzilla.suse.com/show_bug.cgi?id=912294 https://bugzilla.suse.com/show_bug.cgi?id=912296


Severity
Announcement ID: openSUSE-SU-2015:0130-1
Rating: important
Affected Products: openSUSE 13.2 openSUSE 13.1 .

Related News

Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered
Open Source Strategies for Enhancing Security in Digital Business Operations
5 - 9 min read
Digital transformation, powered by the principles of open-source security , is vital for businesses looking to excel in today's technology-driven
Microsoft Update Mayhem: Rescuing Linux Dual-Boot Systems from Secure Boot Woes
2 - 4 min read
Microsoft's recent patch, intended to strengthen Secure Boot defenses, has resulted in an unexpected setback for Linux-Windows dual-boot setups

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved