Security update for openssl-3

Announcement ID:	SUSE-SU-2024:3106-1
Rating:	moderate
References:	bsc#1220523 bsc#1220690 bsc#1220693 bsc#1220696 bsc#1221365 bsc#1221751 bsc#1221752 bsc#1221753 bsc#1221760 bsc#1221786 bsc#1221787 bsc#1221821 bsc#1221822 bsc#1221824 bsc#1221827 bsc#1229465
Cross-References:	CVE-2024-6119
CVSS scores:	CVE-2024-6119 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-6119 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP6 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability and has 15 security fixes can now be installed.

Description:

This update for openssl-3 fixes the following issues:

• CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)

Other fixes:

• FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
• FIPS: RSA keygen PCT requirements.
• FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
• FIPS: Service Level Indicator (bsc#1221365).
• FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751).
• FIPS: Add required selftests: (bsc#1221760).
• FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
• FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
• FIPS: Zero initialization required (bsc#1221752).
• FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
• FIPS: NIST SP 800-56Brev2 (bsc#1221824).
• FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: NIST SP 800-56Arev3 (bsc#1221822).
• FIPS: Error state has to be enforced (bsc#1221753).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch SUSE-2024-3106=1 openSUSE-SLE-15.6-2024-3106=1
• Basesystem Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-3106=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • libopenssl-3-devel-3.1.4-150600.5.15.1
  • libopenssl3-debuginfo-3.1.4-150600.5.15.1
  • openssl-3-debugsource-3.1.4-150600.5.15.1
  • openssl-3-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-debuginfo-3.1.4-150600.5.15.1
  • libopenssl3-3.1.4-150600.5.15.1
  • openssl-3-3.1.4-150600.5.15.1
• openSUSE Leap 15.6 (x86_64)
  • libopenssl-3-fips-provider-32bit-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-32bit-3.1.4-150600.5.15.1
  • libopenssl3-32bit-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-devel-32bit-3.1.4-150600.5.15.1
  • libopenssl3-32bit-3.1.4-150600.5.15.1
• openSUSE Leap 15.6 (noarch)
  • openssl-3-doc-3.1.4-150600.5.15.1
• openSUSE Leap 15.6 (aarch64_ilp32)
  • libopenssl-3-fips-provider-64bit-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-64bit-debuginfo-3.1.4-150600.5.15.1
  • libopenssl3-64bit-3.1.4-150600.5.15.1
  • libopenssl3-64bit-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-devel-64bit-3.1.4-150600.5.15.1
• Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • libopenssl-3-devel-3.1.4-150600.5.15.1
  • libopenssl3-debuginfo-3.1.4-150600.5.15.1
  • openssl-3-debugsource-3.1.4-150600.5.15.1
  • openssl-3-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-debuginfo-3.1.4-150600.5.15.1
  • libopenssl3-3.1.4-150600.5.15.1
  • openssl-3-3.1.4-150600.5.15.1
• Basesystem Module 15-SP6 (x86_64)
  • libopenssl3-32bit-3.1.4-150600.5.15.1
  • libopenssl3-32bit-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-32bit-debuginfo-3.1.4-150600.5.15.1
  • libopenssl-3-fips-provider-32bit-3.1.4-150600.5.15.1

References:

• https://www.suse.com/security/cve/CVE-2024-6119.html
• https://bugzilla.suse.com/show_bug.cgi?id=1220523
• https://bugzilla.suse.com/show_bug.cgi?id=1220690
• https://bugzilla.suse.com/show_bug.cgi?id=1220693
• https://bugzilla.suse.com/show_bug.cgi?id=1220696
• https://bugzilla.suse.com/show_bug.cgi?id=1221365
• https://bugzilla.suse.com/show_bug.cgi?id=1221751
• https://bugzilla.suse.com/show_bug.cgi?id=1221752
• https://bugzilla.suse.com/show_bug.cgi?id=1221753
• https://bugzilla.suse.com/show_bug.cgi?id=1221760
• https://bugzilla.suse.com/show_bug.cgi?id=1221786
• https://bugzilla.suse.com/show_bug.cgi?id=1221787
• https://bugzilla.suse.com/show_bug.cgi?id=1221821
• https://bugzilla.suse.com/show_bug.cgi?id=1221822
• https://bugzilla.suse.com/show_bug.cgi?id=1221824
• https://bugzilla.suse.com/show_bug.cgi?id=1221827
• https://bugzilla.suse.com/show_bug.cgi?id=1229465