Security update for openCryptoki
| Announcement ID: | SUSE-SU-2024:2298-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability and has one security fix can now be installed.
Description:
This update for openCryptoki fixes the following issues:
openCryptoki was updated to version to 3.17.0 (bsc#1220266, bsc#1219217)
-
openCryptoki 3.17
-
tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
-
ICA: added SW fallbacks
-
openCryptoki 3.16
-
EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
-
Bug fixes
-
openCryptoki 3.15.1
-
Bug fixes
-
openCryptoki 3.15
-
common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
-
Bug fixes
-
openCryptoki 3.14
-
EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
-
new tool p11sak
-
openCryptoki 3.13.0
-
EP11: Dilithium support
- EP11: EdDSA support
-
EP11: support RSA-OAEP with non-SHA1 hash and MGF
-
openCryptoki 3.12.1
-
Fix pkcsep11_migrate tool
-
openCryptoki 3.12.0
-
Update token pin and data store encryption for soft,ica,cca and ep11
- EP11: Allow importing of compressed EC public keys
- EP11: Add support for the CMAC mechanisms
- EP11: Add support for the IBM-SHA3 mechanisms
- SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
- ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
- EP11: Add config option USE_PRANDOM
- CCA: Use Random Number Generate Long for token_specific_rng()
- Common rng function: Prefer /dev/prandom over /dev/urandom
- ICA: add SHA*_RSA_PKCS_PSS mechanisms
- Bug fixes
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2298=1 -
SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2298=1 -
SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2298=1 -
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2298=1
Package List:
-
SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
- openCryptoki-debugsource-3.17.0-5.9.2
- openCryptoki-devel-3.17.0-5.9.2
- openCryptoki-debuginfo-3.17.0-5.9.2
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
- openCryptoki-debugsource-3.17.0-5.9.2
- openCryptoki-debuginfo-3.17.0-5.9.2
- openCryptoki-3.17.0-5.9.2
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
- openCryptoki-64bit-3.17.0-5.9.2
-
SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
- openCryptoki-debugsource-3.17.0-5.9.2
- openCryptoki-debuginfo-3.17.0-5.9.2
- openCryptoki-3.17.0-5.9.2
-
SUSE Linux Enterprise Server 12 SP5 (ppc64le s390x x86_64)
- openCryptoki-64bit-3.17.0-5.9.2
-
SUSE Linux Enterprise Server 12 SP5 (s390)
- openCryptoki-32bit-3.17.0-5.9.2
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
- openCryptoki-debugsource-3.17.0-5.9.2
- openCryptoki-64bit-3.17.0-5.9.2
- openCryptoki-debuginfo-3.17.0-5.9.2
- openCryptoki-3.17.0-5.9.2