Security update for openssl
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2016:0617-1
Final
1
1
2016-03-01T13:29:49Z
current
2016-03-01T13:29:49Z
2016-03-01T13:29:49Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for openssl
This update for openssl fixes various security issues and bugs:
Security issues fixed:
- CVE-2016-0800 aka the 'DROWN' attack (bsc#968046):
OpenSSL was vulnerable to a cross-protocol attack that could lead to
decryption of TLS sessions by using a server supporting SSLv2 and
EXPORT cipher suites as a Bleichenbacher RSA padding oracle.
This update changes the openssl library to:
* Disable SSLv2 protocol support by default.
This can be overridden by setting the environment variable
'OPENSSL_ALLOW_SSL2' or by using SSL_CTX_clear_options using the
SSL_OP_NO_SSLv2 flag.
Note that various services and clients had already disabled SSL
protocol 2 by default previously.
* Disable all weak EXPORT ciphers by default. These can be reenabled
if required by old legacy software using the environment variable
'OPENSSL_ALLOW_EXPORT'.
- CVE-2016-0702 aka the 'CacheBleed' attack. (bsc#968050)
Various changes in the modular exponentation code were added that
make sure that it is not possible to recover RSA secret keys by
analyzing cache-bank conflicts on the Intel Sandy-Bridge microarchitecture.
Note that this was only exploitable if the malicious code was running
on the same hyper threaded Intel Sandy Bridge processor as the victim
thread performing decryptions.
- CVE-2016-0705 (bnc#968047):
A double free() bug in the DSA ASN1 parser code was fixed that could
be abused to facilitate a denial-of-service attack.
- CVE-2016-0797 (bnc#968048):
The BN_hex2bn() and BN_dec2bn() functions had a bug that could result
in an attempt to de-reference a NULL pointer leading to crashes.
This could have security consequences if these functions were ever
called by user applications with large untrusted hex/decimal data. Also,
internal usage of these functions in OpenSSL uses data from config files
or application command line arguments. If user developed applications
generated config file data based on untrusted data, then this could
have had security consequences as well.
- CVE-2016-0798 (bnc#968265)
The SRP user database lookup method SRP_VBASE_get_by_user() had a memory
leak that attackers could abuse to facility DoS attacks. To mitigate
the issue, the seed handling in SRP_VBASE_get_by_user() was disabled
even if the user has configured a seed. Applications are advised to
migrate to SRP_VBASE_get1_by_user().
- CVE-2016-0799 (bnc#968374)
On many 64 bit systems, the internal fmtstr() and doapr_outch()
functions could miscalculate the length of a string and attempt to
access out-of-bounds memory locations. These problems could have
enabled attacks where large amounts of untrusted data is passed to
the BIO_*printf functions. If applications use these functions in
this way then they could have been vulnerable. OpenSSL itself uses
these functions when printing out human-readable dumps of ASN.1
data. Therefore applications that print this data could have been
vulnerable if the data is from untrusted sources. OpenSSL command line
applications could also have been vulnerable when they print out ASN.1
data, or if untrusted data is passed as command line arguments. Libssl
is not considered directly vulnerable.
- CVE-2015-3197 (bsc#963415):
The SSLv2 protocol did not block disabled ciphers.
Note that the March 1st 2016 release also references following CVEs
that were fixed by us with CVE-2015-0293 in 2015:
- CVE-2016-0703 (bsc#968051): This issue only affected versions of
OpenSSL prior to March 19th 2015 at which time the code was refactored
to address vulnerability CVE-2015-0293. It would have made the above
'DROWN' attack much easier.
- CVE-2016-0704 (bsc#968053): 'Bleichenbacher oracle in SSLv2'
This issue only affected versions of OpenSSL prior to March 19th
2015 at which time the code was refactored to address vulnerability
CVE-2015-0293. It would have made the above 'DROWN' attack much easier.
Bugs fixed:
- Avoid running OPENSSL_config twice. This avoids breaking
engine loading. (bsc#952871)
- Ensure that OpenSSL doesn't fall back to the default digest
algorithm (SHA1) in case a non-FIPS algorithm was negotiated while
running in FIPS mode. Instead, OpenSSL will refuse the digest.
(bnc#958501)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-DESKTOP-12-2016-352,SUSE-SLE-SDK-12-2016-352,SUSE-SLE-SERVER-12-2016-352
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
Link for SUSE-SU-2016:0617-1
https://lists.suse.com/pipermail/sle-security-updates/2016-March/001900.html
E-Mail link for SUSE-SU-2016:0617-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/952871
SUSE Bug 952871
https://bugzilla.suse.com/958501
SUSE Bug 958501
https://bugzilla.suse.com/963415
SUSE Bug 963415
https://bugzilla.suse.com/968046
SUSE Bug 968046
https://bugzilla.suse.com/968047
SUSE Bug 968047
https://bugzilla.suse.com/968048
SUSE Bug 968048
https://bugzilla.suse.com/968050
SUSE Bug 968050
https://bugzilla.suse.com/968051
SUSE Bug 968051
https://bugzilla.suse.com/968053
SUSE Bug 968053
https://bugzilla.suse.com/968265
SUSE Bug 968265
https://bugzilla.suse.com/968374
SUSE Bug 968374
https://www.suse.com/security/cve/CVE-2015-3197/
SUSE CVE CVE-2015-3197 page
https://www.suse.com/security/cve/CVE-2016-0702/
SUSE CVE CVE-2016-0702 page
https://www.suse.com/security/cve/CVE-2016-0703/
SUSE CVE CVE-2016-0703 page
https://www.suse.com/security/cve/CVE-2016-0704/
SUSE CVE CVE-2016-0704 page
https://www.suse.com/security/cve/CVE-2016-0705/
SUSE CVE CVE-2016-0705 page
https://www.suse.com/security/cve/CVE-2016-0797/
SUSE CVE CVE-2016-0797 page
https://www.suse.com/security/cve/CVE-2016-0798/
SUSE CVE CVE-2016-0798 page
https://www.suse.com/security/cve/CVE-2016-0799/
SUSE CVE CVE-2016-0799 page
https://www.suse.com/security/cve/CVE-2016-0800/
SUSE CVE CVE-2016-0800 page
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server for SAP Applications 12
SUSE Linux Enterprise Software Development Kit 12
libopenssl1_0_0-1.0.1i-27.13.1
libopenssl1_0_0-32bit-1.0.1i-27.13.1
openssl-1.0.1i-27.13.1
libopenssl-devel-1.0.1i-27.13.1
libopenssl1_0_0-hmac-1.0.1i-27.13.1
libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
openssl-doc-1.0.1i-27.13.1
libopenssl1_0_0-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Desktop 12
libopenssl1_0_0-32bit-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Desktop 12
openssl-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Desktop 12
libopenssl1_0_0-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server 12
libopenssl1_0_0-32bit-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server 12
libopenssl1_0_0-hmac-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server 12
libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server 12
openssl-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server 12
openssl-doc-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server 12
libopenssl1_0_0-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12
libopenssl1_0_0-32bit-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12
libopenssl1_0_0-hmac-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12
libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12
openssl-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12
openssl-doc-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12
libopenssl-devel-1.0.1i-27.13.1 as a component of SUSE Linux Enterprise Software Development Kit 12
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
CVE-2015-3197
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
low
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2015-3197.html
CVE-2015-3197
https://bugzilla.suse.com/963410
SUSE Bug 963410
https://bugzilla.suse.com/963415
SUSE Bug 963415
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968046
SUSE Bug 968046
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
CVE-2016-0702
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0702.html
CVE-2016-0702
https://bugzilla.suse.com/1007806
SUSE Bug 1007806
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968050
SUSE Bug 968050
https://bugzilla.suse.com/971238
SUSE Bug 971238
https://bugzilla.suse.com/990370
SUSE Bug 990370
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVE-2016-0703
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0703.html
CVE-2016-0703
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968046
SUSE Bug 968046
https://bugzilla.suse.com/968051
SUSE Bug 968051
https://bugzilla.suse.com/986238
SUSE Bug 986238
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVE-2016-0704
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0704.html
CVE-2016-0704
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968053
SUSE Bug 968053
https://bugzilla.suse.com/986238
SUSE Bug 986238
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
CVE-2016-0705
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
critical
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0705.html
CVE-2016-0705
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968047
SUSE Bug 968047
https://bugzilla.suse.com/971238
SUSE Bug 971238
https://bugzilla.suse.com/976341
SUSE Bug 976341
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
CVE-2016-0797
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0797.html
CVE-2016-0797
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968048
SUSE Bug 968048
https://bugzilla.suse.com/990370
SUSE Bug 990370
Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.
CVE-2016-0798
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0798.html
CVE-2016-0798
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968265
SUSE Bug 968265
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
CVE-2016-0799
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
low
2.6
AV:N/AC:H/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0799.html
CVE-2016-0799
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968374
SUSE Bug 968374
https://bugzilla.suse.com/969517
SUSE Bug 969517
https://bugzilla.suse.com/989345
SUSE Bug 989345
https://bugzilla.suse.com/990370
SUSE Bug 990370
https://bugzilla.suse.com/991722
SUSE Bug 991722
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
CVE-2016-0800
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.13.1
SUSE Linux Enterprise Software Development Kit 12:libopenssl-devel-1.0.1i-27.13.1
moderate
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20160617-1/
https://www.suse.com/security/cve/CVE-2016-0800.html
CVE-2016-0800
https://bugzilla.suse.com/1106871
SUSE Bug 1106871
https://bugzilla.suse.com/961377
SUSE Bug 961377
https://bugzilla.suse.com/968044
SUSE Bug 968044
https://bugzilla.suse.com/968046
SUSE Bug 968046
https://bugzilla.suse.com/968888
SUSE Bug 968888
https://bugzilla.suse.com/969591
SUSE Bug 969591
https://bugzilla.suse.com/979060
SUSE Bug 979060