Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
202
security advisorymoderatepatchopenSUSE: 2018:2597-1 Moderate: libressl Timing Attack Fix
An update that solves two vulnerabilities and has one errata is now available.. openSUSE Security Update: Security update for libressl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:2597-1 Rating: moderate References: #1065363 #1086778 #1097779 Cross-References: CVE-2018-12434 CVE-2018-8970 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for libressl to version 2.8.0 fixes the following issues: Security issues fixed: - CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and ECDSA signatures. (boo#1097779) - Reject excessively large primes in DH key generation. - CVE-2018-8970: Fixed a bug in int_x509_param_set_hosts, calling strlen() if name length provided is 0 to match the OpenSSL behaviour. (boo#1086778) - Fixed an out-of-bounds read and crash in DES-fcrypt (boo#1065363) You can find a detailed list of changes [here]( .txt). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-953=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): libcrypto43-2.8.0-11.1 libcrypto43-debuginfo-2.8.0-11.1 libressl-2.8.0-11.1 libressl-debuginfo-2.8.0-11.1 libressl-debugsource-2.8.0-11.1 libressl-devel-2.8.0-11.1 libssl45-2.8.0-11.1 libssl45-debuginfo-2.8.0-11.1 libtls17-2.8.0-11.1 libtls17-debuginfo-2.8.0-11.1 - openSUSE Leap 42.3 (x86_64): libcrypto43-32bit-2.8.0-11.1 libcrypto43-debuginfo-32bit-2.8.0-11.1 libressl-devel-32bit-2.8.0-11.1 libssl45-32bit-2.8.0-11.1 libssl45-debuginfo-32bit-2.8.0-11.1 libtls17-32bit-2.8.0-11.1 libtls17-debuginfo-32bit-2.8.0-11.1 - openSUSE Leap 42.3 (noarch): libressl-devel-doc-2.8.0-11.1 References: https://www.suse.com/security/cve/CVE-2018-12434.html https://www.suse.com/security/cve/CVE-2018-8970.html https://bugzilla.suse.com/1065363 https://bugzilla.suse.com/1086778 https://bugzilla.suse.com/1097779 -- . This modification tackles several concerns in libressl for openSUSE Leap 15.1, enhancing safety and dependability.. libressl Update, openSUSE Security Update, libressl Fixes. . LinuxSecurity.com Team
Sep 04, 2018
OpenSUSE
202
security advisorysecurity fixmoderate issueopenSUSE Leap 15.0: 2018:2592-1 Moderate: libressl Timing Leak
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for libressl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:2592-1 Rating: moderate References: #1097779 Cross-References: CVE-2018-12434 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libressl to version 2.8.0 fixes the following issues: Security issues fixed: - CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and ECDSA signatures. (boo#1097779) - Reject excessively large primes in DH key generation. Other bugs fixed: - Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. - Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. - Fixed a potential memory leak on failure in ASN1_item_digest. - Fixed a potential memory alignment crash in asn1_item_combine_free. - Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. - Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. - Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. - Added a missing bounds check in c2i_ASN1_BIT_STRING. - Removed three remaining single DES cipher suites. - Fixed a potential leak/incorrect return value in DSA signature generation. - Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. - Added ECC constant time scalar multiplication support. - Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-950=1 Package List: - openSUSE Leap 15.0 (i586 x86_64): libcrypto43-2.8.0-lp150.2.3.1 libcrypto43-debuginfo-2.8.0-lp150.2.3.1 libressl-2.8.0-lp150.2.3.1 libressl-debuginfo-2.8.0-lp150.2.3.1 libressl-debugsource-2.8.0-lp150.2.3.1 libressl-devel-2.8.0-lp150.2.3.1 libssl45-2.8.0-lp150.2.3.1 libssl45-debuginfo-2.8.0-lp150.2.3.1 libtls17-2.8.0-lp150.2.3.1 libtls17-debuginfo-2.8.0-lp150.2.3.1 - openSUSE Leap 15.0 (noarch): libressl-devel-doc-2.8.0-lp150.2.3.1 - openSUSE Leap 15.0 (x86_64): libcrypto43-32bit-2.8.0-lp150.2.3.1 libcrypto43-32bit-debuginfo-2.8.0-lp150.2.3.1 libressl-devel-32bit-2.8.0-lp150.2.3.1 libssl45-32bit-2.8.0-lp150.2.3.1 libssl45-32bit-debuginfo-2.8.0-lp150.2.3.1 libtls17-32bit-2.8.0-lp150.2.3.1 libtls17-32bit-debuginfo-2.8.0-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2018-12434.html https://bugzilla.suse.com/1097779 -- . A patch for libressl in openSUSE Leap 15.0 resolved a moderate vulnerability, improving general security and system robustness.. libressl Update, openSUSE Security, Timing Leak Fix, Security Patch, Moderate Issue. . LinuxSecurity.com Team
Sep 03, 2018
OpenSUSE
202
security advisorydenial of servicesecurity updateopenSUSE 13.2 Advisory: 2015:1277-1 Important Libressl DoS Issues
An update that solves 16 vulnerabilities and has one errata An update that solves 16 vulnerabilities and has one errata An update that solves 16 vulnerabilities and has one errata is now available. is now available.. openSUSE Security Update: Security update for libressl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:1277-1 Rating: important References: #912015 #912018 #912292 #912293 #912296 #919648 #920236 #922496 #922499 #922500 #931600 #934487 #934489 #934491 #934493 #934494 #937891 Cross-References: CVE-2014-3570 CVE-2014-3572 CVE-2014-8176 CVE-2014-8275 CVE-2015-0205 CVE-2015-0206 CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-4000 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves 16 vulnerabilities and has one errata is now available. Description: libressl was updated to version 2.2.1 to fix 16 security issues. LibreSSL is a fork of OpenSSL. Because of that CVEs affecting OpenSSL often also affect LibreSSL. These security issues were fixed: - CVE-2014-3570: The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k did not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c (bsc#912296). - CVE-2014-3572: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allowed remote SSL servers to conduct ECDHE-to-ECDH downgradeattacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message (bsc#912015). - CVE-2015-1792: The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allowed remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function (bsc#934493). - CVE-2014-8275: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k did not enforce certain constraints on certificate data, which allowed remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c (bsc#912018). - CVE-2015-0209: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import (bsc#919648). - CVE-2015-1789: The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allowed remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback (bsc#934489). - CVE-2015-1788: The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b did not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allowed remote attackers to cause a denial of service (infinite loop) via a session that used an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication (bsc#934487). - CVE-2015-1790: The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that used ASN.1 encoding and lacks inner EncryptedContent data (bsc#934491). - CVE-2015-0287: The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a did not reinitialize CHOICE and ADB data structures, which might allowed attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse (bsc#922499). - CVE-2015-0286: The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a did not properly perform boolean-type comparisons, which allowed remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that used the certificate-verification feature (bsc#922496). - CVE-2015-0289: The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a did not properly handle a lack of outer ContentInfo, which allowed attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application thatprocesses arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (bsc#922500). - CVE-2015-0288: The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allowed attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key (bsc#920236). - CVE-2014-8176: The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allowed remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data (bsc#934494). - CVE-2015-4000: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, did not properly convey a DHE_EXPORT choice, which allowed man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue (bsc#931600). - CVE-2015-0205: The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allowed remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support (bsc#912293). - CVE-2015-0206: Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before1.0.1k allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection (bsc#912292). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-507=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libcrypto34-2.2.1-2.3.1 libcrypto34-debuginfo-2.2.1-2.3.1 libressl-2.2.1-2.3.1 libressl-debuginfo-2.2.1-2.3.1 libressl-debugsource-2.2.1-2.3.1 libressl-devel-2.2.1-2.3.1 libssl33-2.2.1-2.3.1 libssl33-debuginfo-2.2.1-2.3.1 libtls4-2.2.1-2.3.1 libtls4-debuginfo-2.2.1-2.3.1 - openSUSE 13.2 (x86_64): libcrypto34-32bit-2.2.1-2.3.1 libcrypto34-debuginfo-32bit-2.2.1-2.3.1 libressl-devel-32bit-2.2.1-2.3.1 libssl33-32bit-2.2.1-2.3.1 libssl33-debuginfo-32bit-2.2.1-2.3.1 libtls4-32bit-2.2.1-2.3.1 libtls4-debuginfo-32bit-2.2.1-2.3.1 - openSUSE 13.2 (noarch): libressl-devel-doc-2.2.1-2.3.1 References: https://www.suse.com/security/cve/CVE-2014-3570.html https://www.suse.com/security/cve/CVE-2014-3572.html https://www.suse.com/security/cve/CVE-2014-8176.html https://www.suse.com/security/cve/CVE-2014-8275.html https://www.suse.com/security/cve/CVE-2015-0205.html https://www.suse.com/security/cve/CVE-2015-0206.html https://www.suse.com/security/cve/CVE-2015-0209.html https://www.suse.com/security/cve/CVE-2015-0286.html https://www.suse.com/security/cve/CVE-2015-0287.html https://www.suse.com/security/cve/CVE-2015-0288.html https://www.suse.com/security/cve/CVE-2015-0289.html https://www.suse.com/security/cve/CVE-2015-1788.html https://www.suse.com/security/cve/CVE-2015-1789.html https://www.suse.com/security/cve/CVE-2015-1790.html https://www.suse.com/security/cve/CVE-2015-1792.html https://www.suse.com/security/cve/CVE-2015-4000.html https://bugzilla.suse.com/show_bug.cgi?id=912015 https://bugzilla.suse.com/show_bug.cgi?id=912018 https://bugzilla.suse.com/show_bug.cgi?id=912292 https://bugzilla.suse.com/show_bug.cgi?id=912293 https://bugzilla.suse.com/show_bug.cgi?id=912296 https://bugzilla.suse.com/show_bug.cgi?id=919648 https://bugzilla.suse.com/show_bug.cgi?id=920236 https://bugzilla.suse.com/show_bug.cgi?id=922496 https://bugzilla.suse.com/show_bug.cgi?id=922499 https://bugzilla.suse.com/show_bug.cgi?id=922500 https://bugzilla.suse.com/show_bug.cgi?id=931600 https://bugzilla.suse.com/show_bug.cgi?id=934487 https://bugzilla.suse.com/show_bug.cgi?id=934489 https://bugzilla.suse.com/show_bug.cgi?id=934491 https://bugzilla.suse.com/show_bug.cgi?id=934493 https://bugzilla.suse.com/show_bug.cgi?id=934494 https://bugzilla.suse.com/show_bug.cgi?id=937891 . This crucial patch release resolves 12 vulnerabilities in libressl for openSUSE 15.3, improving overall system security.. libressl update, security fixes, system updates, openSUSE patches, encryption fixes. . Severity: Important. LinuxSecurity.com Team
Jul 22, 2015
•Important
OpenSUSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!