Alerts This Week
Warning Icon 1 562
Alerts This Week
Warning Icon 1 562

openSUSE 13.2: openSUSE-SU-2016:0627-1 Important: OpenSSL DoS

opensuse
Calendar Grey March 2, 2016
Dist Opensuse Esm H88
A security notice for openSUSE underscores vital upgrades for OpenSSL, addressing multiple weaknesses and resolutions.
An update that solves 6 vulnerabilities and has one errata An update that solves 6 vulnerabilities and has one errata An update that solves 6 vulnerabilities and has one errata is ...

Description

This update for openssl fixes the following issues:

Security issues fixed:

- CVE-2016-0800 aka the "DROWN" attack (bsc#968046): OpenSSL was

vulnerable to a cross-protocol attack that could lead to decryption of

TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites

as a Bleichenbacher RSA padding oracle.

This update changes the openssl library to:

* Disable SSLv2 protocol support by default.

This can be overridden by setting the environment variable

"OPENSSL_ALLOW_SSL2" or by using SSL_CTX_clear_options using the

SSL_OP_NO_SSLv2 flag.

Note that various services and clients had already disabled SSL

protocol 2 by default previously.

Please also note that we built the 13.2 openSUSE openssl already with

"no-ssl2".

* Disable all weak EXPORT ciphers by default. These can be reenabled if

required by old legacy software using the environment variable

"OPENSSL_ALLOW_EXPORT".

-...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory denial of service important openssl fixed issues

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2016-288=1

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.2 (i586 x86_64):

libopenssl-devel-1.0.1k-2.33.1

libopenssl1_0_0-1.0.1k-2.33.1

libopenssl1_0_0-debuginfo-1.0.1k-2.33.1

libopenssl1_0_0-hmac-1.0.1k-2.33.1

openssl-1.0.1k-2.33.1

openssl-debuginfo-1.0.1k-2.33.1

openssl-debugsource-1.0.1k-2.33.1

- openSUSE 13.2 (x86_64):

libopenssl-devel-32bit-1.0.1k-2.33.1

libopenssl1_0_0-32bit-1.0.1k-2.33.1

libopenssl1_0_0-debuginfo-32bit-1.0.1k-2.33.1

libopenssl1_0_0-hmac-32bit-1.0.1k-2.33.1

- openSUSE 13.2 (noarch):

openssl-doc-1.0.1k-2.33.1

References

https://www.suse.com/security/cve/CVE-2016-0702.html

https://www.suse.com/security/cve/CVE-2016-0705.html

https://www.suse.com/security/cve/CVE-2016-0797.html

https://www.suse.com/security/cve/CVE-2016-0798.html

https://www.suse.com/security/cve/CVE-2016-0799.html

https://www.suse.com/security/cve/CVE-2016-0800.html

https://bugzilla.suse.com/952871

https://bugzilla.suse.com/968046

https://bugzilla.suse.com/968047

https://bugzilla.suse.com/968048

https://bugzilla.suse.com/968050

https://bugzilla.suse.com/968265

https://bugzilla.suse.com/968374

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2016:0627-1
Rating: important
Affected Products: openSUSE 13.2

Topics%20covered

Topics Covered

security advisory denial of service important openssl fixed issues

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here