______________________________________________________________________________
SUSE Security Announcement
Package: openssl
Announcement-ID: SUSE-SA:2014:002
Date: Tuesday, Apr 8 17:00:00 CET 2014
Affected products: openSUSE 12.3
openSUSE 13.1
Vulnerability Type: remote memory disclosure
Rating: critical
SUSE default package: yes
Cross References: CVE-2014-0160
Content of this advisory:
1) security vulnerability resolved:
– remote memory disclosure in openssl
problem description
2) affected products
3) solution/workaround
4) special instructions and notes
______________________________________________________________________________
1) problem description, brief discussion
An issue with critical severity in the openssl 1.0.1 library has been
identified, under the code name “HeartBleed” (CVE-2014-0160).
In openssl 1.0.1 up to and including 1.0.1f, the TLS “Heartbeat”
extension could be used to disclose memory of the process handling
the SSL/TLS connection in a easily exploitable way.
The disclosed memory can include and according to reports did include:
– secret key material (for SSL certificates)
– passwords and other authentication credentials (e.g. http cookies)
– other sensitive data transferred over SSL
This problem affected only openSUSE 12.3 and 13.1, which include
openssl 1.0.1e.
We have released updates for openSUSE 12.3 and 13.1, see
the associated automated update notice for package details:
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html
For further reading:
http://heartbleed.com/
2) affected products
openSUSE 12.3 and 13.1 are affected by this problem.
SUSE Linux Enterprise 11 and older products currently include openssl
0.9.8j or older versions, which do not include the TLS Heartbeat
extension and thus are not affected by this problem.
3) solution/workaround
There is no workaround, please install the supplied updates.
4) special instructions and notes
After installing the updates, we strongly advise you to:
– Get new SSL certificates for the affected services.
– If your SSL service handled password authentication we recommend
to initiate password changes ASAP.
– Invalidate other sensitive data that may have been stored in the
memory of an exposed process, such as cookies or private URLs.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)
iQEVAwUBU0QZz3ey5gA9JdPZAQJv3Qf+Kd3zzFnpRgz8arWo0u/zFwQKNBEHjYlN
QgnZR7oNNqHecuMAbsjvO897pLOJu3F1HjLzNElfzZ+3YY9crSReryIqMhHYba1U
/SYlcwFwwUMFgdPMxwNehLHLuPXNlyqQVlHl/Fc2nsYDdxh+6WGriW9hVE4k2oL3
AU07pwR8kY+LkHwejPCHeA/mB8Uw4///NrcWtAjfMoXbz+dmlrN4MJE6NoULVp2f
azTxkFLlPzatuSCqjtWUBJ5tcaKUQwV8+ffbmgq8F9vC6jYHLOr5LL/ktOthapLB
iaeUwbtBV/lpwa7ZnVXw/hBQQ1a536VJt9P3nvQnLAbBQxNn8xqJaA==
=NwmI
—–END PGP SIGNATURE—–