Security update for openssl-3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02236-1 Final 1 1 2025-07-07T12:58:58Z current 2025-07-07T12:58:58Z 2025-07-07T12:58:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-3 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/bci-micro-fips:latest-2025-2236,Container bci/golang:1.23-openssl-2025-2236,Container bci/golang:latest-2025-2236,Container bci/spack:latest-2025-2236,Container suse/bind:latest-2025-2236,Container suse/git:latest-2025-2236,Container suse/kiosk/firefox-esr:latest-2025-2236,Container suse/kiosk/xorg:latest-2025-2236,Container suse/mariadb-client:latest-2025-2236,Container suse/mariadb:latest-2025-2236,Container suse/postgres:16-2025-2236,Container suse/postgres:latest-2025-2236,Container suse/registry:latest-2025-2236,Container suse/samba-client:latest-2025-2236,Container suse/samba-server:latest-2025-2236,Container suse/samba-toolbox:latest-2025-2236,Container suse/sle15:latest-2025-2236,Container suse/stunnel:latest-2025-2236,Container suse/valkey:latest-2025-2236,SUSE-2025-2236,SUSE-SLE-Module-Basesystem-15-SP7-2025-2236 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502236-1/ Link for SUSE-SU-2025:02236-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040629.html E-Mail link for SUSE-SU-2025:02236-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240366 SUSE Bug 1240366 https://www.suse.com/security/cve/CVE-2025-27587/ SUSE CVE CVE-2025-27587 page Container bci/bci-micro-fips:latest Container bci/golang:1.23-openssl Container bci/golang:latest Container bci/spack:latest Container suse/bind:latest Container suse/git:latest Container suse/kiosk/firefox-esr:latest Container suse/kiosk/xorg:latest Container suse/mariadb-client:latest Container suse/mariadb:latest Container suse/postgres:16 Container suse/postgres:latest Container suse/registry:latest Container suse/samba-client:latest Container suse/samba-server:latest Container suse/samba-toolbox:latest Container suse/sle15:latest Container suse/stunnel:latest Container suse/valkey:latest SUSE Linux Enterprise Module for Basesystem 15 SP7 libopenssl-3-fips-provider-3.2.3-150700.5.10.1 libopenssl3-3.2.3-150700.5.10.1 libopenssl-3-devel-3.2.3-150700.5.10.1 openssl-3-3.2.3-150700.5.10.1 libopenssl-3-devel-32bit-3.2.3-150700.5.10.1 libopenssl-3-devel-64bit-3.2.3-150700.5.10.1 libopenssl-3-fips-provider-32bit-3.2.3-150700.5.10.1 libopenssl-3-fips-provider-64bit-3.2.3-150700.5.10.1 libopenssl3-32bit-3.2.3-150700.5.10.1 libopenssl3-64bit-3.2.3-150700.5.10.1 openssl-3-doc-3.2.3-150700.5.10.1 libopenssl-3-fips-provider-3.2.3-150700.5.10.1 as a component of Container bci/bci-micro-fips:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container bci/bci-micro-fips:latest libopenssl-3-devel-3.2.3-150700.5.10.1 as a component of Container bci/golang:1.23-openssl libopenssl-3-devel-3.2.3-150700.5.10.1 as a component of Container bci/golang:latest libopenssl-3-devel-3.2.3-150700.5.10.1 as a component of Container bci/spack:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/bind:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/git:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/kiosk/firefox-esr:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/kiosk/xorg:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/mariadb-client:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/mariadb:latest openssl-3-3.2.3-150700.5.10.1 as a component of Container suse/mariadb:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/postgres:16 libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/postgres:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/registry:latest openssl-3-3.2.3-150700.5.10.1 as a component of Container suse/registry:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/samba-client:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/samba-server:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/samba-toolbox:latest libopenssl-3-fips-provider-3.2.3-150700.5.10.1 as a component of Container suse/sle15:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/sle15:latest openssl-3-3.2.3-150700.5.10.1 as a component of Container suse/sle15:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/stunnel:latest libopenssl3-3.2.3-150700.5.10.1 as a component of Container suse/valkey:latest libopenssl-3-devel-3.2.3-150700.5.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libopenssl-3-fips-provider-3.2.3-150700.5.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libopenssl-3-fips-provider-32bit-3.2.3-150700.5.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libopenssl3-3.2.3-150700.5.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libopenssl3-32bit-3.2.3-150700.5.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 openssl-3-3.2.3-150700.5.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system. CVE-2025-27587 Container bci/bci-micro-fips:latest:libopenssl-3-fips-provider-3.2.3-150700.5.10.1 Container bci/bci-micro-fips:latest:libopenssl3-3.2.3-150700.5.10.1 Container bci/golang:1.23-openssl:libopenssl-3-devel-3.2.3-150700.5.10.1 Container bci/golang:latest:libopenssl-3-devel-3.2.3-150700.5.10.1 Container bci/spack:latest:libopenssl-3-devel-3.2.3-150700.5.10.1 Container suse/bind:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/git:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/kiosk/firefox-esr:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/kiosk/xorg:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/mariadb-client:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/mariadb:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/mariadb:latest:openssl-3-3.2.3-150700.5.10.1 Container suse/postgres:16:libopenssl3-3.2.3-150700.5.10.1 Container suse/postgres:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/registry:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/registry:latest:openssl-3-3.2.3-150700.5.10.1 Container suse/samba-client:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/samba-server:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/samba-toolbox:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/sle15:latest:libopenssl-3-fips-provider-3.2.3-150700.5.10.1 Container suse/sle15:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/sle15:latest:openssl-3-3.2.3-150700.5.10.1 Container suse/stunnel:latest:libopenssl3-3.2.3-150700.5.10.1 Container suse/valkey:latest:libopenssl3-3.2.3-150700.5.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libopenssl-3-devel-3.2.3-150700.5.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libopenssl-3-fips-provider-3.2.3-150700.5.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libopenssl-3-fips-provider-32bit-3.2.3-150700.5.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libopenssl3-3.2.3-150700.5.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libopenssl3-32bit-3.2.3-150700.5.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:openssl-3-3.2.3-150700.5.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502236-1/ https://www.suse.com/security/cve/CVE-2025-27587.html CVE-2025-27587 https://bugzilla.suse.com/1240366 SUSE Bug 1240366