Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

openSUSE Leap 42.1 2016:0720-1 Critical OpenSSL Security Update

opensuse
Calendar Grey March 11, 2016
Dist Opensuse Esm H88
Stay informed on critical OpenSSL vulnerabilities affecting openSUSE systems. Update your security with the latest patches to protect your data and integrity.
An update that fixes 7 vulnerabilities is now available

Description

This update for compat-openssl098 fixes various security issues and bugs:

Security issues fixed:

- CVE-2016-0800 aka the "DROWN" attack (bsc#968046): OpenSSL was

vulnerable to a cross-protocol attack that could lead to decryption of

TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites

as a Bleichenbacher RSA padding oracle.

This update changes the openssl library to:

* Disable SSLv2 protocol support by default.

This can be overridden by setting the environment variable

"OPENSSL_ALLOW_SSL2" or by using SSL_CTX_clear_options using the

SSL_OP_NO_SSLv2 flag.

Note that various services and clients had already disabled SSL

protocol 2 by default previously.

* Disable all weak EXPORT ciphers by default. These can be reenabled if

required by old legacy software using the environment variable

"OPENSSL_ALLOW_EXPORT".

- CVE-2016-0797 (bnc#968048): The BN_hex2bn() and BN_dec2bn() functions

...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory security issue update important openssl openSUSE cross-protocol attack

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2016-327=1

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE Leap 42.1 (i586 x86_64):

compat-openssl098-debugsource-0.9.8j-9.1

libopenssl0_9_8-0.9.8j-9.1

libopenssl0_9_8-debuginfo-0.9.8j-9.1

- openSUSE Leap 42.1 (x86_64):

libopenssl0_9_8-32bit-0.9.8j-9.1

libopenssl0_9_8-debuginfo-32bit-0.9.8j-9.1

References

https://www.suse.com/security/cve/CVE-2015-3197.html

https://www.suse.com/security/cve/CVE-2016-0702.html

https://www.suse.com/security/cve/CVE-2016-0703.html

https://www.suse.com/security/cve/CVE-2016-0704.html

https://www.suse.com/security/cve/CVE-2016-0797.html

https://www.suse.com/security/cve/CVE-2016-0799.html

https://www.suse.com/security/cve/CVE-2016-0800.html

https://bugzilla.suse.com/show_bug.cgi?id=952871

https://bugzilla.suse.com/show_bug.cgi?id=963415

https://bugzilla.suse.com/show_bug.cgi?id=968046

https://bugzilla.suse.com/show_bug.cgi?id=968048

https://bugzilla.suse.com/show_bug.cgi?id=968051

https://bugzilla.suse.com/show_bug.cgi?id=968053

https://bugzilla.suse.com/show_bug.cgi?id=968374

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2016:0720-1
Rating: important
Affected Products: openSUSE Leap 42.1 .

Topics%20covered

Topics Covered

security advisory security issue update important openssl openSUSE cross-protocol attack

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here