Alerts This Week
Warning Icon 1 664
Alerts This Week
Warning Icon 1 664

openSUSE Leap 15.0: 2018:2592-1 Moderate: libressl Timing Leak

opensuse
Calendar Grey September 3, 2018
Dist Opensuse Esm H88
A patch for libressl in openSUSE Leap 15.0 resolved a moderate vulnerability, improving general security and system robustness.
An update that fixes one vulnerability is now available.

Description

This update for libressl to version 2.8.0 fixes the following issues:

Security issues fixed:

- CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and

ECDSA signatures. (boo#1097779)

- Reject excessively large primes in DH key generation.

Other bugs fixed:

- Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry.

- Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning'

parameters so that an unverified certificate cannot be used if it fails

verification.

- Fixed a potential memory leak on failure in ASN1_item_digest.

- Fixed a potential memory alignment crash in asn1_item_combine_free.

- Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and

SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.

- Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.

- Added const annotations to many existing APIs from OpenSSL, making

interoperability easier for downstream applications.

-...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory security fix moderate issue openSUSE libressl timing leak patch note

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-950=1

Package List

- openSUSE Leap 15.0 (i586 x86_64):

libcrypto43-2.8.0-lp150.2.3.1

libcrypto43-debuginfo-2.8.0-lp150.2.3.1

libressl-2.8.0-lp150.2.3.1

libressl-debuginfo-2.8.0-lp150.2.3.1

libressl-debugsource-2.8.0-lp150.2.3.1

libressl-devel-2.8.0-lp150.2.3.1

libssl45-2.8.0-lp150.2.3.1

libssl45-debuginfo-2.8.0-lp150.2.3.1

libtls17-2.8.0-lp150.2.3.1

libtls17-debuginfo-2.8.0-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

libressl-devel-doc-2.8.0-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libcrypto43-32bit-2.8.0-lp150.2.3.1

libcrypto43-32bit-debuginfo-2.8.0-lp150.2.3.1

libressl-devel-32bit-2.8.0-lp150.2.3.1

libssl45-32bit-2.8.0-lp150.2.3.1

libssl45-32bit-debuginfo-2.8.0-lp150.2.3.1

libtls17-32bit-2.8.0-lp150.2.3.1

libtls17-32bit-debuginfo-2.8.0-lp150.2.3.1

References

https://www.suse.com/security/cve/CVE-2018-12434.html

https://bugzilla.suse.com/1097779

--

Announcement ID: openSUSE-SU-2018:2592-1
Rating: moderate
Affected Products: openSUSE Leap 15.0

Topics%20covered

Topics Covered

security advisory security fix moderate issue openSUSE libressl timing leak patch note

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here