You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa openssl

Sigurnosni nedostatak programskog paketa openssl

______________________________________________________________________________

SUSE Security Announcement

Package: openssl
Announcement-ID: SUSE-SA:2014:002
Date: Tuesday, Apr 8 17:00:00 CET 2014
Affected products: openSUSE 12.3
openSUSE 13.1
Vulnerability Type: remote memory disclosure
Rating: critical
SUSE default package: yes
Cross References: CVE-2014-0160

Content of this advisory:
1) security vulnerability resolved:
– remote memory disclosure in openssl
problem description
2) affected products
3) solution/workaround
4) special instructions and notes

______________________________________________________________________________

1) problem description, brief discussion

An issue with critical severity in the openssl 1.0.1 library has been
identified, under the code name “HeartBleed” (CVE-2014-0160).

In openssl 1.0.1 up to and including 1.0.1f, the TLS “Heartbeat”
extension could be used to disclose memory of the process handling
the SSL/TLS connection in a easily exploitable way.

The disclosed memory can include and according to reports did include:
– secret key material (for SSL certificates)
– passwords and other authentication credentials (e.g. http cookies)
– other sensitive data transferred over SSL

This problem affected only openSUSE 12.3 and 13.1, which include
openssl 1.0.1e.

We have released updates for openSUSE 12.3 and 13.1, see
the associated automated update notice for package details:

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

For further reading:
http://heartbleed.com/

2) affected products

openSUSE 12.3 and 13.1 are affected by this problem.

SUSE Linux Enterprise 11 and older products currently include openssl
0.9.8j or older versions, which do not include the TLS Heartbeat
extension and thus are not affected by this problem.

3) solution/workaround

There is no workaround, please install the supplied updates.

4) special instructions and notes

After installing the updates, we strongly advise you to:

– Get new SSL certificates for the affected services.

– If your SSL service handled password authentication we recommend
to initiate password changes ASAP.

– Invalidate other sensitive data that may have been stored in the
memory of an exposed process, such as cookies or private URLs.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEVAwUBU0QZz3ey5gA9JdPZAQJv3Qf+Kd3zzFnpRgz8arWo0u/zFwQKNBEHjYlN
QgnZR7oNNqHecuMAbsjvO897pLOJu3F1HjLzNElfzZ+3YY9crSReryIqMhHYba1U
/SYlcwFwwUMFgdPMxwNehLHLuPXNlyqQVlHl/Fc2nsYDdxh+6WGriW9hVE4k2oL3
AU07pwR8kY+LkHwejPCHeA/mB8Uw4///NrcWtAjfMoXbz+dmlrN4MJE6NoULVp2f
azTxkFLlPzatuSCqjtWUBJ5tcaKUQwV8+ffbmgq8F9vC6jYHLOr5LL/ktOthapLB
iaeUwbtBV/lpwa7ZnVXw/hBQQ1a536VJt9P3nvQnLAbBQxNn8xqJaA==
=NwmI
—–END PGP SIGNATURE—–

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa lighttpd

Otkriven je sigurnosni nedostatak u programskom paketu lighttpd za operacijski sustav openSUSE. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog SQL...

Close