Security update for openssl

Announcement ID:	SUSE-SU-2015:0205-1
Rating:	moderate
References:	bsc#855676 bsc#895129 bsc#901902 bsc#906878 bsc#908362 bsc#908372 bsc#912014 bsc#912015 bsc#912018 bsc#912292 bsc#912293 bsc#912294 bsc#912296
Cross-References:	CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12

An update that solves seven vulnerabilities and has six security fixes can now be installed.

Description:

OpenSSL was updated to fix security issues and also provide FIPS compliance.

Security issues fixed: CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect results on some platforms, including x86_64.

CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record.

CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted.

CVE-2014-8275: Fixed various certificate fingerprint issues.

CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.

CVE-2015-0205: Fix to prevent use of DH client certificates without sending certificate verify message.

CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record.

Bugfixes: - Do not advertise curves we don't support (bsc#906878)

FIPS changes: - Make RSA2 key generation FIPS 186-4 compliant (bsc#901902)

• X9.31 rand method is not allowed in FIPS mode.

• Do not allow dynamic ENGINEs loading in FIPS mode.

• Added a locking hack which prevents hangs in FIPS mode (bsc#895129)

• In non-FIPS RSA key generation, mirror the maximum and minimum limiters from FIPS rsa generation to meet Common Criteria and BSI TR requirements on minimum and maximum distances between p and q. (bsc#908362)

• Do constant reseeding from /dev/urandom; for every random byte pulled, seed with one byte from /dev/urandom, also change RAND_poll to pull the full state size of the SSLEAY DRBG to fulfil Common Criteria requirements. (bsc#908372)

FIPS mode can be enabled by either using the environment variable OPENSSL_FORCE_FIPS_MODE=1 or supplying the "fips=1" parameter on the kernel boot commandline.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-52=1
• SUSE Linux Enterprise Software Development Kit 12
  zypper in -t patch SUSE-SLE-SDK-12-2015-52=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-52=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-52=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • libopenssl1_0_0-debuginfo-1.0.1i-17.1
  • libopenssl1_0_0-32bit-1.0.1i-17.1
  • openssl-1.0.1i-17.1
  • openssl-debugsource-1.0.1i-17.1
  • openssl-debuginfo-1.0.1i-17.1
  • libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
  • libopenssl1_0_0-1.0.1i-17.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64)
  • libopenssl-devel-1.0.1i-17.1
  • openssl-debugsource-1.0.1i-17.1
  • openssl-debuginfo-1.0.1i-17.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • libopenssl1_0_0-debuginfo-1.0.1i-17.1
  • openssl-1.0.1i-17.1
  • openssl-debugsource-1.0.1i-17.1
  • openssl-debuginfo-1.0.1i-17.1
  • libopenssl1_0_0-hmac-1.0.1i-17.1
  • libopenssl1_0_0-1.0.1i-17.1
• SUSE Linux Enterprise Server 12 (noarch)
  • openssl-doc-1.0.1i-17.1
• SUSE Linux Enterprise Server 12 (s390x x86_64)
  • libopenssl1_0_0-hmac-32bit-1.0.1i-17.1
  • libopenssl1_0_0-32bit-1.0.1i-17.1
  • libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • libopenssl1_0_0-hmac-32bit-1.0.1i-17.1
  • libopenssl1_0_0-debuginfo-1.0.1i-17.1
  • libopenssl1_0_0-32bit-1.0.1i-17.1
  • openssl-1.0.1i-17.1
  • openssl-debugsource-1.0.1i-17.1
  • openssl-debuginfo-1.0.1i-17.1
  • libopenssl1_0_0-debuginfo-32bit-1.0.1i-17.1
  • libopenssl1_0_0-hmac-1.0.1i-17.1
  • libopenssl1_0_0-1.0.1i-17.1
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • openssl-doc-1.0.1i-17.1

References:

• https://www.suse.com/security/cve/CVE-2014-3570.html
• https://www.suse.com/security/cve/CVE-2014-3571.html
• https://www.suse.com/security/cve/CVE-2014-3572.html
• https://www.suse.com/security/cve/CVE-2014-8275.html
• https://www.suse.com/security/cve/CVE-2015-0204.html
• https://www.suse.com/security/cve/CVE-2015-0205.html
• https://www.suse.com/security/cve/CVE-2015-0206.html
• https://bugzilla.suse.com/show_bug.cgi?id=855676
• https://bugzilla.suse.com/show_bug.cgi?id=895129
• https://bugzilla.suse.com/show_bug.cgi?id=901902
• https://bugzilla.suse.com/show_bug.cgi?id=906878
• https://bugzilla.suse.com/show_bug.cgi?id=908362
• https://bugzilla.suse.com/show_bug.cgi?id=908372
• https://bugzilla.suse.com/show_bug.cgi?id=912014
• https://bugzilla.suse.com/show_bug.cgi?id=912015
• https://bugzilla.suse.com/show_bug.cgi?id=912018
• https://bugzilla.suse.com/show_bug.cgi?id=912292
• https://bugzilla.suse.com/show_bug.cgi?id=912293
• https://bugzilla.suse.com/show_bug.cgi?id=912294
• https://bugzilla.suse.com/show_bug.cgi?id=912296