Security update for openCryptoki SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1447-1 Final 1 1 2024-04-26T08:04:43Z current 2024-04-26T08:04:43Z 2024-04-26T08:04:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openCryptoki This update for openCryptoki fixes the following issues: Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361) * EP11: Add support for FIPS-session mode * CVE-2024-0914: Updates to harden against RSA timing attacks (bsc#1219217) * Bug fixes - provide user(pkcs11) and group(pkcs11) Upgrade to version 3.22 (jsc#PED-3361) - CCA: Add support for the AES-XTS key type using CPACF protected keys - p11sak: Add support for managing certificate objects - p11sak: Add support for public sessions (no-login option) - p11sak: Add support for logging in as SO (security Officer) - p11sak: Add support for importing/exporting Edwards and Montgomery keys - p11sak: Add support for importing of RSA-PSS keys and certificates - CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different Update to version 3.21 (jsc#PED-3360, jsc#PED-3361) - EP11 and CCA: Support concurrent HSM master key changes - CCA: protected-key option - pkcsslotd: no longer run as root user and further hardening - p11sak: Add support for additional key types (DH, DSA, generic secret) - p11sak: Allow wildcards in label filter - p11sak: Allow to specify hex value for CKA_ID attribute - p11sak: Support sorting when listing keys - p11sak: New commands: set-key-attr, copy-key to modify and copy keys - p11sak: New commands: import-key, export-key to import and export keys - Remove support for --disable-locks (transactional memory) - Updates to harden against RSA timing attacks - Bug fixes The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1447,SUSE-SLE-Micro-5.5-2024-1447,SUSE-SLE-Module-Server-Applications-15-SP5-2024-1447,openSUSE-SLE-15.5-2024-1447 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241447-1/ Link for SUSE-SU-2024:1447-1 https://lists.suse.com/pipermail/sle-security-updates/2024-April/018430.html E-Mail link for SUSE-SU-2024:1447-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219217 SUSE Bug 1219217 https://www.suse.com/security/cve/CVE-2024-0914/ SUSE CVE CVE-2024-0914 page SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Module for Server Applications 15 SP5 openSUSE Leap 15.5 openCryptoki-3.23.0-150500.3.3.13 openCryptoki-32bit-3.23.0-150500.3.3.13 openCryptoki-64bit-3.23.0-150500.3.3.13 openCryptoki-devel-3.23.0-150500.3.3.13 openCryptoki-3.23.0-150500.3.3.13 as a component of SUSE Linux Enterprise Micro 5.5 openCryptoki-3.23.0-150500.3.3.13 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 openCryptoki-64bit-3.23.0-150500.3.3.13 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 openCryptoki-devel-3.23.0-150500.3.3.13 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 openCryptoki-3.23.0-150500.3.3.13 as a component of openSUSE Leap 15.5 openCryptoki-64bit-3.23.0-150500.3.3.13 as a component of openSUSE Leap 15.5 openCryptoki-devel-3.23.0-150500.3.3.13 as a component of openSUSE Leap 15.5 A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key. CVE-2024-0914 SUSE Linux Enterprise Micro 5.5:openCryptoki-3.23.0-150500.3.3.13 SUSE Linux Enterprise Module for Server Applications 15 SP5:openCryptoki-3.23.0-150500.3.3.13 SUSE Linux Enterprise Module for Server Applications 15 SP5:openCryptoki-64bit-3.23.0-150500.3.3.13 SUSE Linux Enterprise Module for Server Applications 15 SP5:openCryptoki-devel-3.23.0-150500.3.3.13 openSUSE Leap 15.5:openCryptoki-3.23.0-150500.3.3.13 openSUSE Leap 15.5:openCryptoki-64bit-3.23.0-150500.3.3.13 openSUSE Leap 15.5:openCryptoki-devel-3.23.0-150500.3.3.13 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241447-1/ https://www.suse.com/security/cve/CVE-2024-0914.html CVE-2024-0914 https://bugzilla.suse.com/1219217 SUSE Bug 1219217