Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 541
Alerts This Week
Warning Icon 1 541

openSUSE Leap 15.2: 2020:3020-1 Moderate: openssl-1_1 Remote Code Execution

opensuse
Calendar Grey October 5, 2018
Dist Opensuse Esm H88
A recent update for Fedora resolves a vulnerability in libssl-1_1 to help prevent possible DDoS incidents efficiently.
An update that solves one vulnerability and has one errata is now available.

Description

This update for openssl-1_1 to 1.1.0i fixes the following issues:

These security issues were fixed:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E)

based ciphersuite a malicious server could have sent a very large prime

value to the client. This caused the client to spend an unreasonably

long period of time generating a key for this prime resulting in a hang

until the client has finished. This could be exploited in a Denial Of

Service attack (bsc#1097158)

- Make problematic ECDSA sign addition length-invariant

- Add blinding to ECDSA and DSA signatures to protect against side channel

attacks

These non-security issues were fixed:

- When unlocking a pass phrase protected PEM file or PKCS#8 container, we

now allow empty (zero character) pass phrases.

- Certificate time validation (X509_cmp_time) enforces stricter compliance

with RFC 5280. Fractional seconds and timezone offsets are no longer

...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1109=1

Package List

- openSUSE Leap 15.0 (i586 x86_64):

libopenssl-1_1-devel-1.1.0i-lp150.3.9.1

libopenssl1_1-1.1.0i-lp150.3.9.1

libopenssl1_1-debuginfo-1.1.0i-lp150.3.9.1

libopenssl1_1-hmac-1.1.0i-lp150.3.9.1

openssl-1_1-1.1.0i-lp150.3.9.1

openssl-1_1-debuginfo-1.1.0i-lp150.3.9.1

openssl-1_1-debugsource-1.1.0i-lp150.3.9.1

- openSUSE Leap 15.0 (noarch):

libopenssl-devel-1.1.0i-lp150.2.3.1

openssl-1.1.0i-lp150.2.3.1

openssl-1_1-doc-1.1.0i-lp150.3.9.1

- openSUSE Leap 15.0 (x86_64):

libopenssl-1_1-devel-32bit-1.1.0i-lp150.3.9.1

libopenssl1_1-32bit-1.1.0i-lp150.3.9.1

libopenssl1_1-32bit-debuginfo-1.1.0i-lp150.3.9.1

libopenssl1_1-hmac-32bit-1.1.0i-lp150.3.9.1

References

https://www.suse.com/security/cve/CVE-2018-0732.html

https://bugzilla.suse.com/1097158

https://bugzilla.suse.com/1101470

--

Announcement ID: openSUSE-SU-2018:3013-1
Rating: moderate
Affected Products: openSUSE Leap 15.0 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.