Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 591
Alerts This Week
Warning Icon 1 591

SUSE: 2017:3343-1 Critical OpenSSL Security Advisory Released Today

suse
Calendar Grey December 16, 2017
Dist Suse Esm H88
An important update released by SUSE addresses critical security issues in OpenSSL with specific patch instructions.
An update that fixes two vulnerabilities is now available

Summary

This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for

References

#1071905 #1071906

Cross- CVE-2017-3737 CVE-2017-3738

Affected Products:

SUSE Linux Enterprise Software Development Kit 12-SP3

SUSE Linux Enterprise Software Development Kit 12-SP2

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2

SUSE Linux Enterprise Server 12-SP3

SUSE Linux Enterprise Server 12-SP2

SUSE Linux Enterprise Desktop 12-SP3

SUSE Linux Enterprise Desktop 12-SP2

SUSE Container as a Service Platform ALL

OpenStack Cloud Magnum Orchestration 7

https://www.suse.com/security/cve/CVE-2017-3737.html

https://www.suse.com/security/cve/CVE-2017-3738.html

https://bugzilla.suse.com/1071905

https://bugzilla.suse.com/1071906

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2017:3343-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.