Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1670 SUSE Security Update: Security update for openssl 26 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openssl Publisher: SUSE Operating System: SUSE Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-4000 CVE-2015-3216 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 Reference: ESB-2015.1669 ESB-2015.1663 ESB-2015.1655 ESB-2015.1569 ESB-2015.1561 ESB-2015.1557 ESB-2015.1540 ESB-2015.1544.2 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1143-1 Rating: important References: #926597 #929678 #931698 #933898 #933911 #934487 #934489 #934491 #934493 Cross-References: CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 CVE-2015-4000 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has two fixes is now available. Description: This update of openssl fixes the following security issues: - CVE-2015-4000 (bsc#931698) * The Logjam Attack / weakdh.org * reject connections with DH parameters shorter than 1024 bits * generates 2048-bit DH parameters by default - CVE-2015-1788 (bsc#934487) * Malformed ECParameters causes infinite loop - CVE-2015-1789 (bsc#934489) * Exploitable out-of-bounds read in X509_cmp_time - CVE-2015-1790 (bsc#934491) * PKCS7 crash with missing EnvelopedContent - CVE-2015-1792 (bsc#934493) * CMS verify infinite loop with unknown hash function - CVE-2015-1791 (bsc#933911) * race condition in NewSessionTicket - CVE-2015-3216 (bsc#933898) * Crash in ssleay_rand_bytes due to locking regression - fix a timing side channel in RSA decryption (bnc#929678) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-282=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-282=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-282=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-25.1 openssl-debuginfo-1.0.1i-25.1 openssl-debugsource-1.0.1i-25.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-25.1 libopenssl1_0_0-debuginfo-1.0.1i-25.1 libopenssl1_0_0-hmac-1.0.1i-25.1 openssl-1.0.1i-25.1 openssl-debuginfo-1.0.1i-25.1 openssl-debugsource-1.0.1i-25.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-25.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-25.1 libopenssl1_0_0-hmac-32bit-1.0.1i-25.1 - SUSE Linux Enterprise Server 12 (noarch): openssl-doc-1.0.1i-25.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libopenssl1_0_0-1.0.1i-25.1 libopenssl1_0_0-32bit-1.0.1i-25.1 libopenssl1_0_0-debuginfo-1.0.1i-25.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-25.1 openssl-1.0.1i-25.1 openssl-debuginfo-1.0.1i-25.1 openssl-debugsource-1.0.1i-25.1 References: https://www.suse.com/security/cve/CVE-2015-1788.html https://www.suse.com/security/cve/CVE-2015-1789.html https://www.suse.com/security/cve/CVE-2015-1790.html https://www.suse.com/security/cve/CVE-2015-1791.html https://www.suse.com/security/cve/CVE-2015-1792.html https://www.suse.com/security/cve/CVE-2015-3216.html https://www.suse.com/security/cve/CVE-2015-4000.html https://bugzilla.suse.com/926597 https://bugzilla.suse.com/929678 https://bugzilla.suse.com/931698 https://bugzilla.suse.com/933898 https://bugzilla.suse.com/933911 https://bugzilla.suse.com/934487 https://bugzilla.suse.com/934489 https://bugzilla.suse.com/934491 https://bugzilla.suse.com/934493 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVYzHGX6ZAP0PgtI9AQIADxAAiNPLZWJKg4jRSm72tN/sx9F1TgesNu18 bY6ZXlt8NE37Yn1Wv4CEoxRwtlzYQLU5GNWLyWhswjUgaj6cQTqLnH9oIOCSstBA tkYW8D0D0aYgZVKBf1pKTPAfuSbnkR+A5HOas1VLJ4SuV5OW+tuJn4gujcW45OI4 oQmZ9HHNadeJR9x84ALkSmkwoKBo3uVn0HXpetPRA2hVIRjRKb80XDuGnXPPOu0U WPsRAH0nmVdVKBhQS80uL27o7ST97Bg45EvHVbTZJnWd/7cz7Dnke6w7MKukGSRT 5zsISUcnEWCnCWiAY278NRgHy+ziMbULbabVjolXpak37GCHse0v9/P/c5yxB/rM zfWvQRY5VNwFrm6DulN3Cf+k3FHv3iQx1mVPkIpoOcGWtiHoPzkK9Ni82Fav5dus f7r+IKr27AGQakV6GuBHR7pHljujfRj+IUqrqmeHIy02yKgWpBFLlYIVZr8xpfR9 QWQzlK0vXiEr4yYNtUsN7tYSmgaOYyL39J3s5JIu7ctbhyqBkKeUIH+V8KhinAAU HLVu87j/B4/EvY6DrC1KKeOi8U9nQz0V05nHJcW4Ei2V+6Db+kVbJJsL9DBr8SeK Fc25c9uxY2Hc5sVNyUKQeLo7i83qSYkeRjZdP89Mhc1eFph/fdFsgE2hUUlz1IKE NEsTzItra5o= =12E4 -----END PGP SIGNATURE-----