openSUSE Security Update: Security update for openssl
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:0130-1
Rating: important
References: #911399 #912014 #912015 #912018 #912292 #912293
#912294 #912296
Cross-References: CVE-2014-3569 CVE-2014-3570 CVE-2014-3571
CVE-2014-3572 CVE-2014-8275 CVE-2015-0204
CVE-2015-0205 CVE-2015-0206
Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________

An update that fixes 8 vulnerabilities is now available.

Description:

openssl was updated to 1.0.1k to fix various security issues and bugs.

More information can be found in the openssl advisory:
http://openssl.org/news/secadv_20150108.txt

Following issues were fixed:

* CVE-2014-3570 (bsc#912296): Bignum squaring (BN_sqr) may have produced
incorrect results on some platforms, including x86_64.

* CVE-2014-3571 (bsc#912294): Fixed crash in dtls1_get_record whilst in
the listen state where you get two separate reads performed – one for
the header and one for the body of the handshake record.

* CVE-2014-3572 (bsc#912015): Don’t accept a handshake using an ephemeral
ECDH ciphersuites with the server key exchange message omitted.

* CVE-2014-8275 (bsc#912018): Fixed various certificate fingerprint issues.

* CVE-2015-0204 (bsc#912014): Only allow ephemeral RSA keys in export
ciphersuites

* CVE-2015-0205 (bsc#912293): A fixwas added to prevent use of DH client
certificates without sending certificate verify message.

* CVE-2015-0206 (bsc#912292): A memory leak was fixed in
dtls1_buffer_record.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 13.2:

zypper in -t patch openSUSE-2015-67

– openSUSE 13.1:

zypper in -t patch openSUSE-2015-67

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 13.2 (i586 x86_64):

libopenssl-devel-1.0.1k-2.16.2
libopenssl1_0_0-1.0.1k-2.16.2
libopenssl1_0_0-debuginfo-1.0.1k-2.16.2
libopenssl1_0_0-hmac-1.0.1k-2.16.2
openssl-1.0.1k-2.16.2
openssl-debuginfo-1.0.1k-2.16.2
openssl-debugsource-1.0.1k-2.16.2

– openSUSE 13.2 (x86_64):

libopenssl-devel-32bit-1.0.1k-2.16.2
libopenssl1_0_0-32bit-1.0.1k-2.16.2
libopenssl1_0_0-debuginfo-32bit-1.0.1k-2.16.2
libopenssl1_0_0-hmac-32bit-1.0.1k-2.16.2

– openSUSE 13.2 (noarch):

openssl-doc-1.0.1k-2.16.2

– openSUSE 13.1 (i586 x86_64):

libopenssl-devel-1.0.1k-11.64.2
libopenssl1_0_0-1.0.1k-11.64.2
libopenssl1_0_0-debuginfo-1.0.1k-11.64.2
openssl-1.0.1k-11.64.2
openssl-debuginfo-1.0.1k-11.64.2
openssl-debugsource-1.0.1k-11.64.2

– openSUSE 13.1 (x86_64):

libopenssl-devel-32bit-1.0.1k-11.64.2
libopenssl1_0_0-32bit-1.0.1k-11.64.2
libopenssl1_0_0-debuginfo-32bit-1.0.1k-11.64.2

– openSUSE 13.1 (noarch):

openssl-doc-1.0.1k-11.64.2

References:

http://support.novell.com/security/cve/CVE-2014-3569.html
http://support.novell.com/security/cve/CVE-2014-3570.html
http://support.novell.com/security/cve/CVE-2014-3571.html
http://support.novell.com/security/cve/CVE-2014-3572.html
http://support.novell.com/security/cve/CVE-2014-8275.html
http://support.novell.com/security/cve/CVE-2015-0204.html
http://support.novell.com/security/cve/CVE-2015-0205.html
http://support.novell.com/security/cve/CVE-2015-0206.html
https://bugzilla.suse.com/show_bug.cgi?id=911399
https://bugzilla.suse.com/show_bug.cgi?id=912014
https://bugzilla.suse.com/show_bug.cgi?id=912015
https://bugzilla.suse.com/show_bug.cgi?id=912018
https://bugzilla.suse.com/show_bug.cgi?id=912292
https://bugzilla.suse.com/show_bug.cgi?id=912293
https://bugzilla.suse.com/show_bug.cgi?id=912294
https://bugzilla.suse.com/show_bug.cgi?id=912296

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org