Security update for OpenSSL
SUSE Security Update: Security update for OpenSSL
OpenSSL on SUSE Linux Enterprise Server 9 LTSS has been
updated to receive a roll up of security fixes from the
last year.
The following issues have been fixed:
*
CVE-2013-0169: The TLS protocol and the DTLS
protocol, as used in OpenSSL and other products, did not
properly consider timing side-channel attacks on a MAC
check requirement during the processing of malformed CBC
padding, which allowed remote attackers to conduct
distinguishing attacks and plaintext-recovery attacks via
statistical analysis of timing data for crafted packets,
aka the "Lucky Thirteen" issue.
*
CVE-2013-0166: OpenSSL did not properly perform
signature verification for OCSP responses, which allowed
remote OCSP servers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid
key.
*
CVE-2012-2110 CVE-2012-2131: The asn1_d2i_read_bio
function in crypto/asn1/a_d2i_fp.c in OpenSSL did not
properly interpret integer data, which allowed remote
attackers to conduct buffer overflow attacks, and cause a
denial of service (memory corruption) or possibly have
unspecified other impact, via crafted DER data, as
demonstrated by an X.509 certificate or an RSA public key.
*
CVE-2011-4576: The SSL 3.0 implementation in OpenSSL
did not properly initialize data structures for block
cipher padding, which might have allowed remote attackers
to obtain sensitive information by decrypting the padding
data sent by an SSL peer.
*
CVE-2011-4619: The Server Gated Cryptography (SGC)
implementation in OpenSSL did not properly handle handshake
restarts, which allowed remote attackers to cause a denial
of service (CPU consumption) via unspecified vectors.
| Announcement ID: | SUSE-SU-2013:1386-1 |
| Rating: | moderate |
| References: | #739719 #758060 #802648 #802746 |
| Affected Products: |
An update that contains security fixes can now be installed.
Description:
OpenSSL on SUSE Linux Enterprise Server 9 LTSS has been
updated to receive a roll up of security fixes from the
last year.
The following issues have been fixed:
*
CVE-2013-0169: The TLS protocol and the DTLS
protocol, as used in OpenSSL and other products, did not
properly consider timing side-channel attacks on a MAC
check requirement during the processing of malformed CBC
padding, which allowed remote attackers to conduct
distinguishing attacks and plaintext-recovery attacks via
statistical analysis of timing data for crafted packets,
aka the "Lucky Thirteen" issue.
*
CVE-2013-0166: OpenSSL did not properly perform
signature verification for OCSP responses, which allowed
remote OCSP servers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid
key.
*
CVE-2012-2110 CVE-2012-2131: The asn1_d2i_read_bio
function in crypto/asn1/a_d2i_fp.c in OpenSSL did not
properly interpret integer data, which allowed remote
attackers to conduct buffer overflow attacks, and cause a
denial of service (memory corruption) or possibly have
unspecified other impact, via crafted DER data, as
demonstrated by an X.509 certificate or an RSA public key.
*
CVE-2011-4576: The SSL 3.0 implementation in OpenSSL
did not properly initialize data structures for block
cipher padding, which might have allowed remote attackers
to obtain sensitive information by decrypting the padding
data sent by an SSL peer.
*
CVE-2011-4619: The Server Gated Cryptography (SGC)
implementation in OpenSSL did not properly handle handshake
restarts, which allowed remote attackers to cause a denial
of service (CPU consumption) via unspecified vectors.
Package List:
- SUSE CORE 9 (i586 s390 s390x x86_64):
- openssl-0.9.7d-15.48
- openssl-devel-0.9.7d-15.48
- openssl-doc-0.9.7d-15.48
- SUSE CORE 9 (x86_64):
- openssl-32bit-9-201308121627
- openssl-devel-32bit-9-201308121627
- SUSE CORE 9 (s390x):
- openssl-32bit-9-201308121642
- openssl-devel-32bit-9-201308121642
References:
- https://bugzilla.novell.com/739719
- https://bugzilla.novell.com/758060
- https://bugzilla.novell.com/802648
- https://bugzilla.novell.com/802746
- http://download.suse.com/patch/finder/?keywords=bea1b3ef15108e5f9d7fc35575cbb857