Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 547
Alerts This Week
Warning Icon 1 547

openSUSE Leap 42.3: 2018:2695-1 Moderate: DoS Risk in compat-openssl098

opensuse
Calendar Grey September 12, 2018
Scroller Opensuse Esm H88
New security patches for compat-openssl098 released in openSUSE, tackling three key vulnerabilities to bolster system defense and reduce potential threats.
An update that solves three vulnerabilities and has two fixes is now available.

Description

This update for compat-openssl098 fixes the following security issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E)

based ciphersuite a malicious server could have sent a very large prime

value to the client. This caused the client to spend an unreasonably

long period of time generating a key for this prime resulting in a hang

until the client has finished. This could be exploited in a Denial Of

Service attack (bsc#1097158)

- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)

- CVE-2018-0737: The RSA Key generation algorithm has been shown to be

vulnerable to a cache timing side channel attack. An attacker with

sufficient access to mount cache timing attacks during the RSA key

generation process could have recovered the private key (bsc#1089039)

- CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such

as can be found in PKCS7) could eventually exceed the stack...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-997=1

Package List

- openSUSE Leap 42.3 (i586 x86_64):

compat-openssl098-debugsource-0.9.8j-24.1

libopenssl0_9_8-0.9.8j-24.1

libopenssl0_9_8-debuginfo-0.9.8j-24.1

- openSUSE Leap 42.3 (x86_64):

libopenssl0_9_8-32bit-0.9.8j-24.1

libopenssl0_9_8-debuginfo-32bit-0.9.8j-24.1

References

https://www.suse.com/security/cve/CVE-2018-0732.html

https://www.suse.com/security/cve/CVE-2018-0737.html

https://www.suse.com/security/cve/CVE-2018-0739.html

https://bugzilla.suse.com/1087102

https://bugzilla.suse.com/1089039

https://bugzilla.suse.com/1097158

https://bugzilla.suse.com/1097624

https://bugzilla.suse.com/1098592

--

Announcement ID: openSUSE-SU-2018:2695-1
Rating: moderate
Affected Products: openSUSE Leap 42.3 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.