Security update for compat-openssl098

Announcement ID:	SUSE-SU-2015:1150-1
Rating:	important
References:	bsc#879179 bsc#929678 bsc#931698 bsc#933898 bsc#933911 bsc#934487 bsc#934489 bsc#934491 bsc#934493
Cross-References:	CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 CVE-2015-4000
CVSS scores:	CVE-2015-1789 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-4000 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	Legacy Module 12 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves seven vulnerabilities and has two security fixes can now be installed.

Description:

This update fixes the following security issues:

• CVE-2015-4000 (boo#931698)
• The Logjam Attack / weakdh.org
• reject connections with DH parameters shorter than 1024 bits
• generates 2048-bit DH parameters by default
• CVE-2015-1788 (boo#934487)
• Malformed ECParameters causes infinite loop
• CVE-2015-1789 (boo#934489)
• Exploitable out-of-bounds read in X509_cmp_time
• CVE-2015-1790 (boo#934491)
• PKCS7 crash with missing EnvelopedContent
• CVE-2015-1792 (boo#934493)
• CMS verify infinite loop with unknown hash function
• CVE-2015-1791 (boo#933911)
• race condition in NewSessionTicket
• CVE-2015-3216 (boo#933898)
• Crash in ssleay_rand_bytes due to locking regression
• modified openssl-1.0.1i-fipslocking.patch
• fix timing side channel in RSA decryption (bnc#929678)
• add ECC ciphersuites to DEFAULT (bnc#879179)
• Disable EXPORT ciphers by default (bnc#931698, comment #3)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-285=1
• Legacy Module 12
  zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-285=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • compat-openssl098-debugsource-0.9.8j-78.1
  • libopenssl0_9_8-debuginfo-0.9.8j-78.1
  • libopenssl0_9_8-debuginfo-32bit-0.9.8j-78.1
  • libopenssl0_9_8-0.9.8j-78.1
  • libopenssl0_9_8-32bit-0.9.8j-78.1
• Legacy Module 12 (s390x x86_64)
  • compat-openssl098-debugsource-0.9.8j-78.1
  • libopenssl0_9_8-debuginfo-0.9.8j-78.1
  • libopenssl0_9_8-debuginfo-32bit-0.9.8j-78.1
  • libopenssl0_9_8-0.9.8j-78.1
  • libopenssl0_9_8-32bit-0.9.8j-78.1

References:

• https://www.suse.com/security/cve/CVE-2015-1788.html
• https://www.suse.com/security/cve/CVE-2015-1789.html
• https://www.suse.com/security/cve/CVE-2015-1790.html
• https://www.suse.com/security/cve/CVE-2015-1791.html
• https://www.suse.com/security/cve/CVE-2015-1792.html
• https://www.suse.com/security/cve/CVE-2015-3216.html
• https://www.suse.com/security/cve/CVE-2015-4000.html
• https://bugzilla.suse.com/show_bug.cgi?id=879179
• https://bugzilla.suse.com/show_bug.cgi?id=929678
• https://bugzilla.suse.com/show_bug.cgi?id=931698
• https://bugzilla.suse.com/show_bug.cgi?id=933898
• https://bugzilla.suse.com/show_bug.cgi?id=933911
• https://bugzilla.suse.com/show_bug.cgi?id=934487
• https://bugzilla.suse.com/show_bug.cgi?id=934489
• https://bugzilla.suse.com/show_bug.cgi?id=934491
• https://bugzilla.suse.com/show_bug.cgi?id=934493