Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
202
security advisorysecurity fixmoderate issueopenSUSE Leap 15.0: 2018:2592-1 Moderate: libressl Timing Leak
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for libressl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:2592-1 Rating: moderate References: #1097779 Cross-References: CVE-2018-12434 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libressl to version 2.8.0 fixes the following issues: Security issues fixed: - CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and ECDSA signatures. (boo#1097779) - Reject excessively large primes in DH key generation. Other bugs fixed: - Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. - Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. - Fixed a potential memory leak on failure in ASN1_item_digest. - Fixed a potential memory alignment crash in asn1_item_combine_free. - Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. - Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. - Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. - Added a missing bounds check in c2i_ASN1_BIT_STRING. - Removed three remaining single DES cipher suites. - Fixed a potential leak/incorrect return value in DSA signature generation. - Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. - Added ECC constant time scalar multiplication support. - Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-950=1 Package List: - openSUSE Leap 15.0 (i586 x86_64): libcrypto43-2.8.0-lp150.2.3.1 libcrypto43-debuginfo-2.8.0-lp150.2.3.1 libressl-2.8.0-lp150.2.3.1 libressl-debuginfo-2.8.0-lp150.2.3.1 libressl-debugsource-2.8.0-lp150.2.3.1 libressl-devel-2.8.0-lp150.2.3.1 libssl45-2.8.0-lp150.2.3.1 libssl45-debuginfo-2.8.0-lp150.2.3.1 libtls17-2.8.0-lp150.2.3.1 libtls17-debuginfo-2.8.0-lp150.2.3.1 - openSUSE Leap 15.0 (noarch): libressl-devel-doc-2.8.0-lp150.2.3.1 - openSUSE Leap 15.0 (x86_64): libcrypto43-32bit-2.8.0-lp150.2.3.1 libcrypto43-32bit-debuginfo-2.8.0-lp150.2.3.1 libressl-devel-32bit-2.8.0-lp150.2.3.1 libssl45-32bit-2.8.0-lp150.2.3.1 libssl45-32bit-debuginfo-2.8.0-lp150.2.3.1 libtls17-32bit-2.8.0-lp150.2.3.1 libtls17-32bit-debuginfo-2.8.0-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2018-12434.html https://bugzilla.suse.com/1097779 -- . A patch for libressl in openSUSE Leap 15.0 resolved a moderate vulnerability, improving general security and system robustness.. libressl Update, openSUSE Security, Timing Leak Fix, Security Patch, Moderate Issue. . LinuxSecurity.com Team
Sep 03, 2018
OpenSUSE
200
security advisorybug fixmoderate severitySecurity Update for nss and nspr in Scientific Linux SL5.x SLSA-2013:1135-1
Moderate: nss and nspr security, bug fix, and enhancement update. Date: Mon, 5 Aug 2013 19:03:49 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Moderate: nss and nspr on SL5.x i386/x86_64 MIME-Version: 1.0 Synopsis: Moderate: nss and nspr security, bug fix, and enhancement update Advisory ID: SLSA-2013:1135-1 Issue Date: 2013-08-05 CVE Numbers: CVE-2013-1620 CVE-2013-0791 -- It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) This update also fixes the following bugs: * A defect in the FreeBL library implementation of the Diffie-Hellman (DH) protocol previously caused Openswan to drop connections. * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. In addition, the nss package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. Note that while upstream NSS version 3.14 prevents the use of certificates that have an MD5 signature, this erratum includes a patch that allows such certificates by default. To prevent the use of certificates that have an MD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variable to "-MD5". After installing this update, applications using NSS or NSPR must be restarted for this update to take effect. -- SL5 x86_64 nspr-4.9.5-1.el5_9.i386.rpm nspr-4.9.5-1.el5_9.x86_64.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.x86_64.rpm nss-3.14.3-6.el5_9.i386.rpm nss-3.14.3-6.el5_9.x86_64.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.x86_64.rpm nss-tools-3.14.3-6.el5_9.x86_64.rpm nspr-devel-4.9.5-1.el5_9.i386.rpm nspr-devel-4.9.5-1.el5_9.x86_64.rpm nss-devel-3.14.3-6.el5_9.i386.rpm nss-devel-3.14.3-6.el5_9.x86_64.rpm nss-pkcs11-devel-3.14.3-6.el5_9.i386.rpm nss-pkcs11-devel-3.14.3-6.el5_9.x86_64.rpm i386 nspr-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nss-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-tools-3.14.3-6.el5_9.i386.rpm nspr-devel-4.9.5-1.el5_9.i386.rpm nss-devel-3.14.3-6.el5_9.i386.rpm nss-pkcs11-devel-3.14.3-6.el5_9.i386.rpm - Scientific Linux Development Team . Routine security patch for nss and nspr tackling TLS/SSL timing vulnerabilities along with various bug corrections. System reboot needed after installation.. NSS Update, NSPR Security, Scientific Linux Fix, Moderate Bug Fixes. . LinuxSecurity.com Team
Aug 05, 2013
Scientific Linux
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!