Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1670
SUSE Security Update: Security update for openssl
26 June 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssl
Publisher: SUSE
Operating System: SUSE
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-4000 CVE-2015-3216 CVE-2015-1792
CVE-2015-1791 CVE-2015-1790 CVE-2015-1789
CVE-2015-1788
Reference: ESB-2015.1669
ESB-2015.1663
ESB-2015.1655
ESB-2015.1569
ESB-2015.1561
ESB-2015.1557
ESB-2015.1540
ESB-2015.1544.2
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for openssl
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:1143-1
Rating: important
References: #926597 #929678 #931698 #933898 #933911 #934487
#934489 #934491 #934493
Cross-References: CVE-2015-1788 CVE-2015-1789 CVE-2015-1790
CVE-2015-1791 CVE-2015-1792 CVE-2015-3216
CVE-2015-4000
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that solves 7 vulnerabilities and has two fixes
is now available.
Description:
This update of openssl fixes the following security issues:
- CVE-2015-4000 (bsc#931698)
* The Logjam Attack / weakdh.org
* reject connections with DH parameters shorter than 1024 bits
* generates 2048-bit DH parameters by default
- CVE-2015-1788 (bsc#934487)
* Malformed ECParameters causes infinite loop
- CVE-2015-1789 (bsc#934489)
* Exploitable out-of-bounds read in X509_cmp_time
- CVE-2015-1790 (bsc#934491)
* PKCS7 crash with missing EnvelopedContent
- CVE-2015-1792 (bsc#934493)
* CMS verify infinite loop with unknown hash function
- CVE-2015-1791 (bsc#933911)
* race condition in NewSessionTicket
- CVE-2015-3216 (bsc#933898)
* Crash in ssleay_rand_bytes due to locking regression
- fix a timing side channel in RSA decryption (bnc#929678)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-282=1
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-282=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-282=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
libopenssl-devel-1.0.1i-25.1
openssl-debuginfo-1.0.1i-25.1
openssl-debugsource-1.0.1i-25.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
libopenssl1_0_0-1.0.1i-25.1
libopenssl1_0_0-debuginfo-1.0.1i-25.1
libopenssl1_0_0-hmac-1.0.1i-25.1
openssl-1.0.1i-25.1
openssl-debuginfo-1.0.1i-25.1
openssl-debugsource-1.0.1i-25.1
- SUSE Linux Enterprise Server 12 (s390x x86_64):
libopenssl1_0_0-32bit-1.0.1i-25.1
libopenssl1_0_0-debuginfo-32bit-1.0.1i-25.1
libopenssl1_0_0-hmac-32bit-1.0.1i-25.1
- SUSE Linux Enterprise Server 12 (noarch):
openssl-doc-1.0.1i-25.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
libopenssl1_0_0-1.0.1i-25.1
libopenssl1_0_0-32bit-1.0.1i-25.1
libopenssl1_0_0-debuginfo-1.0.1i-25.1
libopenssl1_0_0-debuginfo-32bit-1.0.1i-25.1
openssl-1.0.1i-25.1
openssl-debuginfo-1.0.1i-25.1
openssl-debugsource-1.0.1i-25.1
References:
https://www.suse.com/security/cve/CVE-2015-1788.html
https://www.suse.com/security/cve/CVE-2015-1789.html
https://www.suse.com/security/cve/CVE-2015-1790.html
https://www.suse.com/security/cve/CVE-2015-1791.html
https://www.suse.com/security/cve/CVE-2015-1792.html
https://www.suse.com/security/cve/CVE-2015-3216.html
https://www.suse.com/security/cve/CVE-2015-4000.html
https://bugzilla.suse.com/926597
https://bugzilla.suse.com/929678
https://bugzilla.suse.com/931698
https://bugzilla.suse.com/933898
https://bugzilla.suse.com/933911
https://bugzilla.suse.com/934487
https://bugzilla.suse.com/934489
https://bugzilla.suse.com/934491
https://bugzilla.suse.com/934493
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVYzHGX6ZAP0PgtI9AQIADxAAiNPLZWJKg4jRSm72tN/sx9F1TgesNu18
bY6ZXlt8NE37Yn1Wv4CEoxRwtlzYQLU5GNWLyWhswjUgaj6cQTqLnH9oIOCSstBA
tkYW8D0D0aYgZVKBf1pKTPAfuSbnkR+A5HOas1VLJ4SuV5OW+tuJn4gujcW45OI4
oQmZ9HHNadeJR9x84ALkSmkwoKBo3uVn0HXpetPRA2hVIRjRKb80XDuGnXPPOu0U
WPsRAH0nmVdVKBhQS80uL27o7ST97Bg45EvHVbTZJnWd/7cz7Dnke6w7MKukGSRT
5zsISUcnEWCnCWiAY278NRgHy+ziMbULbabVjolXpak37GCHse0v9/P/c5yxB/rM
zfWvQRY5VNwFrm6DulN3Cf+k3FHv3iQx1mVPkIpoOcGWtiHoPzkK9Ni82Fav5dus
f7r+IKr27AGQakV6GuBHR7pHljujfRj+IUqrqmeHIy02yKgWpBFLlYIVZr8xpfR9
QWQzlK0vXiEr4yYNtUsN7tYSmgaOYyL39J3s5JIu7ctbhyqBkKeUIH+V8KhinAAU
HLVu87j/B4/EvY6DrC1KKeOi8U9nQz0V05nHJcW4Ei2V+6Db+kVbJJsL9DBr8SeK
Fc25c9uxY2Hc5sVNyUKQeLo7i83qSYkeRjZdP89Mhc1eFph/fdFsgE2hUUlz1IKE
NEsTzItra5o=
=12E4
-----END PGP SIGNATURE-----