Security update for erlang

Announcement ID:	SUSE-SU-2018:0974-1
Rating:	moderate
References:	bsc#1070960
Cross-References:	CVE-2017-1000385
CVSS scores:	CVE-2017-1000385 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2017-1000385 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	SUSE Enterprise Storage 4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE OpenStack Cloud 7

An update that solves one vulnerability can now be installed.

Description:

This update for erlang fixes the following security issue:

• CVE-2017-1000385: An erlang TLS server configured with cipher suites using RSA key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself. (bsc#1070960)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 7
  zypper in -t patch SUSE-OpenStack-Cloud-7-2018-652=1
• SUSE Enterprise Storage 4
  zypper in -t patch SUSE-Storage-4-2018-652=1

Package List:

• SUSE OpenStack Cloud 7 (x86_64)
  • erlang-epmd-17.5.6-3.3.1
  • erlang-17.5.6-3.3.1
  • erlang-epmd-debuginfo-17.5.6-3.3.1
  • erlang-debuginfo-17.5.6-3.3.1
  • erlang-debugsource-17.5.6-3.3.1
• SUSE Enterprise Storage 4 (aarch64 x86_64)
  • erlang-epmd-17.5.6-3.3.1
  • erlang-17.5.6-3.3.1
  • erlang-epmd-debuginfo-17.5.6-3.3.1
  • erlang-debuginfo-17.5.6-3.3.1
  • erlang-debugsource-17.5.6-3.3.1

References:

• https://www.suse.com/security/cve/CVE-2017-1000385.html
• https://bugzilla.suse.com/show_bug.cgi?id=1070960