Security update for openCryptoki SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2298-1 Final 1 1 2024-07-04T07:08:40Z current 2024-07-04T07:08:40Z 2024-07-04T07:08:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openCryptoki This update for openCryptoki fixes the following issues: openCryptoki was updated to version to 3.17.0 (bsc#1220266, bsc#1219217) + openCryptoki 3.17 - tools: added function to list keys to p11sak - common: added support for OpenSSL 3.0 - common: added support for event notifications - ICA: added SW fallbacks + openCryptoki 3.16 - EP11: protected-key option - EP11: support attribute-bound keys - CCA: import and export of secure key objects - Bug fixes + openCryptoki 3.15.1 - Bug fixes + openCryptoki 3.15 - common: conform to PKCS 11 3.0 Baseline Provider profile - Introduce new vendor defined interface named 'Vendor IBM' - Support C_IBM_ReencryptSingle via 'Vendor IBM' interface - CCA: support key wrapping - SOFT: support ECC - p11sak tool: add remove-key command - Bug fixes + openCryptoki 3.14 - EP11: Dilitium support stage 2 - Common: Rework on process and thread locking - Common: Rework on btree and object locking - ICSF: minor fixes - TPM, ICA, ICSF: support multiple token instances - new tool p11sak + openCryptoki 3.13.0 - EP11: Dilithium support - EP11: EdDSA support - EP11: support RSA-OAEP with non-SHA1 hash and MGF + openCryptoki 3.12.1 - Fix pkcsep11_migrate tool + openCryptoki 3.12.0 - Update token pin and data store encryption for soft,ica,cca and ep11 - EP11: Allow importing of compressed EC public keys - EP11: Add support for the CMAC mechanisms - EP11: Add support for the IBM-SHA3 mechanisms - SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token - ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token - EP11: Add config option USE_PRANDOM - CCA: Use Random Number Generate Long for token_specific_rng() - Common rng function: Prefer /dev/prandom over /dev/urandom - ICA: add SHA*_RSA_PKCS_PSS mechanisms - Bug fixes The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2298,SUSE-SLE-SDK-12-SP5-2024-2298,SUSE-SLE-SERVER-12-SP5-2024-2298 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242298-1/ Link for SUSE-SU-2024:2298-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018865.html E-Mail link for SUSE-SU-2024:2298-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219217 SUSE Bug 1219217 https://bugzilla.suse.com/1220266 SUSE Bug 1220266 https://www.suse.com/security/cve/CVE-2024-0914/ SUSE CVE CVE-2024-0914 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 openCryptoki-3.17.0-5.9.2 openCryptoki-32bit-3.17.0-5.9.2 openCryptoki-64bit-3.17.0-5.9.2 openCryptoki-devel-3.17.0-5.9.2 openCryptoki-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Server 12 SP5 openCryptoki-32bit-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Server 12 SP5 openCryptoki-64bit-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Server 12 SP5 openCryptoki-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 openCryptoki-32bit-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 openCryptoki-64bit-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 openCryptoki-devel-3.17.0-5.9.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key. CVE-2024-0914 SUSE Linux Enterprise Server 12 SP5:openCryptoki-3.17.0-5.9.2 SUSE Linux Enterprise Server 12 SP5:openCryptoki-32bit-3.17.0-5.9.2 SUSE Linux Enterprise Server 12 SP5:openCryptoki-64bit-3.17.0-5.9.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:openCryptoki-3.17.0-5.9.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:openCryptoki-32bit-3.17.0-5.9.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:openCryptoki-64bit-3.17.0-5.9.2 SUSE Linux Enterprise Software Development Kit 12 SP5:openCryptoki-devel-3.17.0-5.9.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242298-1/ https://www.suse.com/security/cve/CVE-2024-0914.html CVE-2024-0914 https://bugzilla.suse.com/1219217 SUSE Bug 1219217