Security update for compat-openssl098

Announcement ID:	SUSE-SU-2015:0305-1
Rating:	moderate
References:	bsc#892403 bsc#912014 bsc#912015 bsc#912018 bsc#912293 bsc#912294 bsc#912296
Cross-References:	CVE-2014-0224 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
CVSS scores:	CVE-2014-0224 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:	Legacy Module 12 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves seven vulnerabilities can now be installed.

Description:

The openssl 0.9.8j compatibility package was updated to fix several security vulnerabilities:

CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64.

CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record.

CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted.

CVE-2014-8275: Fixed various certificate fingerprint issues

CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites

CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn't support DH certificates and this typo prohibits skipping of certificate verify message for sign only certificates anyway. (This patch only fixes the wrong condition)

This update also fixes regression caused by CVE-2014-0224.patch (bnc#892403)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-78=1
• Legacy Module 12
  zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-78=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2
  • libopenssl0_9_8-32bit-0.9.8j-70.2
  • compat-openssl098-debugsource-0.9.8j-70.2
  • libopenssl0_9_8-0.9.8j-70.2
  • libopenssl0_9_8-debuginfo-0.9.8j-70.2
• Legacy Module 12 (s390x x86_64)
  • libopenssl0_9_8-debuginfo-32bit-0.9.8j-70.2
  • libopenssl0_9_8-32bit-0.9.8j-70.2
  • compat-openssl098-debugsource-0.9.8j-70.2
  • libopenssl0_9_8-0.9.8j-70.2
  • libopenssl0_9_8-debuginfo-0.9.8j-70.2

References:

• https://www.suse.com/security/cve/CVE-2014-0224.html
• https://www.suse.com/security/cve/CVE-2014-3570.html
• https://www.suse.com/security/cve/CVE-2014-3571.html
• https://www.suse.com/security/cve/CVE-2014-3572.html
• https://www.suse.com/security/cve/CVE-2014-8275.html
• https://www.suse.com/security/cve/CVE-2015-0204.html
• https://www.suse.com/security/cve/CVE-2015-0205.html
• https://bugzilla.suse.com/show_bug.cgi?id=892403
• https://bugzilla.suse.com/show_bug.cgi?id=912014
• https://bugzilla.suse.com/show_bug.cgi?id=912015
• https://bugzilla.suse.com/show_bug.cgi?id=912018
• https://bugzilla.suse.com/show_bug.cgi?id=912293
• https://bugzilla.suse.com/show_bug.cgi?id=912294
• https://bugzilla.suse.com/show_bug.cgi?id=912296