Security update for openssl

Announcement ID:	SUSE-SU-2019:1553-1
Rating:	moderate
References:	bsc#1089039 bsc#1097158 bsc#1097624 bsc#1098592 bsc#1101470 bsc#1104789 bsc#1106197 bsc#1110018 bsc#1113534 bsc#1113652 bsc#1117951 bsc#1127080 bsc#1131291
Cross-References:	CVE-2016-8610 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-5407 CVE-2019-1559
CVSS scores:	CVE-2016-8610 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-8610 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-8610 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-0732 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-0732 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-0732 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-0734 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2018-0734 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-0734 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-0737 ( SUSE ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-0737 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-5407 ( SUSE ): 4.8 CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-5407 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-5407 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-1559 ( SUSE ): 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVE-2019-1559 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-1559 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves six vulnerabilities and has seven security fixes can now be installed.

Description:

This update for openssl fixes the following issues:

• CVE-2018-0732: Reject excessively large primes in DH key generation (bsc#1097158)
• CVE-2018-0734: Timing vulnerability in DSA signature generation (bsc#1113652)
• CVE-2018-0737: Cache timing vulnerability in RSA Key Generation (bsc#1089039)
• CVE-2018-5407: Elliptic curve scalar multiplication timing attack defenses (fixes "PortSmash") (bsc#1113534)
• CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080)
• Fix One&Done side-channel attack on RSA (bsc#1104789)
• Reject invalid EC point coordinates (bsc#1131291)
• The 9 Lives of Bleichenbacher's CAT: Cache ATtacks on TLS Implementations (bsc#1117951)
• Add missing error string to CVE-2016-8610 fix (bsc#1110018#c9)
• blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)

Non security fixes:

• correct the error detection in the fips patch (bsc#1106197)
• Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2019-1553=1

Package List:

• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • libopenssl1_0_0-1.0.1i-27.34.1
  • openssl-debuginfo-1.0.1i-27.34.1
  • openssl-1.0.1i-27.34.1
  • libopenssl1_0_0-hmac-1.0.1i-27.34.1
  • libopenssl1_0_0-debuginfo-1.0.1i-27.34.1
  • openssl-debugsource-1.0.1i-27.34.1
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • openssl-doc-1.0.1i-27.34.1
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • libopenssl1_0_0-32bit-1.0.1i-27.34.1
  • libopenssl1_0_0-hmac-32bit-1.0.1i-27.34.1
  • libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.34.1

References:

• https://www.suse.com/security/cve/CVE-2016-8610.html
• https://www.suse.com/security/cve/CVE-2018-0732.html
• https://www.suse.com/security/cve/CVE-2018-0734.html
• https://www.suse.com/security/cve/CVE-2018-0737.html
• https://www.suse.com/security/cve/CVE-2018-5407.html
• https://www.suse.com/security/cve/CVE-2019-1559.html
• https://bugzilla.suse.com/show_bug.cgi?id=1089039
• https://bugzilla.suse.com/show_bug.cgi?id=1097158
• https://bugzilla.suse.com/show_bug.cgi?id=1097624
• https://bugzilla.suse.com/show_bug.cgi?id=1098592
• https://bugzilla.suse.com/show_bug.cgi?id=1101470
• https://bugzilla.suse.com/show_bug.cgi?id=1104789
• https://bugzilla.suse.com/show_bug.cgi?id=1106197
• https://bugzilla.suse.com/show_bug.cgi?id=1110018
• https://bugzilla.suse.com/show_bug.cgi?id=1113534
• https://bugzilla.suse.com/show_bug.cgi?id=1113652
• https://bugzilla.suse.com/show_bug.cgi?id=1117951
• https://bugzilla.suse.com/show_bug.cgi?id=1127080
• https://bugzilla.suse.com/show_bug.cgi?id=1131291