Security update for openssl-1_1

Announcement ID:	SUSE-SU-2024:3905-1
Release Date:	2024-11-04T12:39:19Z
Rating:	moderate
References:	bsc#1220262 bsc#1224258 bsc#1224260 bsc#1224264 bsc#1224265 bsc#1224266 bsc#1224267 bsc#1224268 bsc#1224269 bsc#1224270 bsc#1224271 bsc#1224272 bsc#1224273 bsc#1224275 bsc#1228618 bsc#1228619 bsc#1228623
Cross-References:	CVE-2023-50782
CVSS scores:	CVE-2023-50782 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Basesystem Module 15-SP6 Development Tools Module 15-SP6 Legacy Module 15-SP6 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability and has 16 security fixes can now be installed.

Description:

This update for openssl-1_1 fixes the following issues:

Security fixes:

• CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)

Other fixes:

• FIPS: AES GCM external IV implementation (bsc#1228618)
• FIPS: Mark PBKDF2 and HKDF HMAC input keys with size >= 112 bits as approved in the SLI. (bsc#1228623)
• FIPS: Enforce KDF in FIPS style (bsc#1224270)
• FIPS: Mark HKDF and TLSv1.3 KDF as approved in the SLI (bsc#1228619)
• FIPS: The X9.31 scheme is not approved for RSA signature operations in FIPS 186-5. (bsc#1224269)
• FIPS: Differentiate the PSS length requirements (bsc#1224275)
• FIPS: Mark sigGen and sigVer primitives as non-approved (bsc#1224272)
• FIPS: Disable PKCSv1.5 and shake in FIPS mode (bsc#1224271)
• FIPS: Mark SHA1 as non-approved in the SLI (bsc#1224266)
• FIPS: DH FIPS selftest and safe prime group (bsc#1224264)
• FIPS: Remove not needed FIPS DRBG files (bsc#1224268)
• FIPS: Add Pair-wise Consistency Test when generating DH key (bsc#1224265)
• FIPS: Disallow non-approved KDF types (bsc#1224267)
• FIPS: Disallow RSA sigVer with 1024 and ECDSA sigVer/keyVer P-192 (bsc#1224273)
• FIPS: DRBG component chaining (bsc#1224258)
• FIPS: Align CRNGT_BUFSIZ with Jitter RNG output size (bsc#1224260)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Legacy Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Legacy-15-SP6-2024-3905=1
• openSUSE Leap 15.6
  zypper in -t patch SUSE-2024-3905=1 openSUSE-SLE-15.6-2024-3905=1
• Basesystem Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-3905=1
• Development Tools Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-3905=1

Package List:

• Legacy Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • openssl-1_1-debugsource-1.1.1w-150600.5.9.1
  • openssl-1_1-debuginfo-1.1.1w-150600.5.9.1
  • openssl-1_1-1.1.1w-150600.5.9.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • libopenssl-1_1-devel-1.1.1w-150600.5.9.1
  • openssl-1_1-1.1.1w-150600.5.9.1
  • openssl-1_1-debuginfo-1.1.1w-150600.5.9.1
  • libopenssl1_1-debuginfo-1.1.1w-150600.5.9.1
  • openssl-1_1-debugsource-1.1.1w-150600.5.9.1
  • libopenssl1_1-1.1.1w-150600.5.9.1
• openSUSE Leap 15.6 (x86_64)
  • libopenssl1_1-32bit-1.1.1w-150600.5.9.1
  • libopenssl-1_1-devel-32bit-1.1.1w-150600.5.9.1
  • libopenssl1_1-32bit-debuginfo-1.1.1w-150600.5.9.1
• openSUSE Leap 15.6 (noarch)
  • openssl-1_1-doc-1.1.1w-150600.5.9.1
• openSUSE Leap 15.6 (aarch64_ilp32)
  • libopenssl1_1-64bit-1.1.1w-150600.5.9.1
  • libopenssl-1_1-devel-64bit-1.1.1w-150600.5.9.1
  • libopenssl1_1-64bit-debuginfo-1.1.1w-150600.5.9.1
• Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • openssl-1_1-debugsource-1.1.1w-150600.5.9.1
  • openssl-1_1-debuginfo-1.1.1w-150600.5.9.1
  • libopenssl1_1-debuginfo-1.1.1w-150600.5.9.1
  • libopenssl1_1-1.1.1w-150600.5.9.1
• Basesystem Module 15-SP6 (x86_64)
  • libopenssl1_1-32bit-1.1.1w-150600.5.9.1
  • libopenssl1_1-32bit-debuginfo-1.1.1w-150600.5.9.1
• Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • openssl-1_1-debugsource-1.1.1w-150600.5.9.1
  • libopenssl-1_1-devel-1.1.1w-150600.5.9.1
  • openssl-1_1-debuginfo-1.1.1w-150600.5.9.1

References:

• https://www.suse.com/security/cve/CVE-2023-50782.html
• https://bugzilla.suse.com/show_bug.cgi?id=1220262
• https://bugzilla.suse.com/show_bug.cgi?id=1224258
• https://bugzilla.suse.com/show_bug.cgi?id=1224260
• https://bugzilla.suse.com/show_bug.cgi?id=1224264
• https://bugzilla.suse.com/show_bug.cgi?id=1224265
• https://bugzilla.suse.com/show_bug.cgi?id=1224266
• https://bugzilla.suse.com/show_bug.cgi?id=1224267
• https://bugzilla.suse.com/show_bug.cgi?id=1224268
• https://bugzilla.suse.com/show_bug.cgi?id=1224269
• https://bugzilla.suse.com/show_bug.cgi?id=1224270
• https://bugzilla.suse.com/show_bug.cgi?id=1224271
• https://bugzilla.suse.com/show_bug.cgi?id=1224272
• https://bugzilla.suse.com/show_bug.cgi?id=1224273
• https://bugzilla.suse.com/show_bug.cgi?id=1224275
• https://bugzilla.suse.com/show_bug.cgi?id=1228618
• https://bugzilla.suse.com/show_bug.cgi?id=1228619
• https://bugzilla.suse.com/show_bug.cgi?id=1228623