Security update for openssl-3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1516-1 Final 1 1 2025-05-08T13:17:46Z current 2025-05-08T13:17:46Z 2025-05-08T13:17:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-3 This update for openssl-3 fixes the following issues: - CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465) Other fixes: - FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365). - FIPS: RSA keygen PCT requirements. - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: Block non-Approved Elliptic Curves (bsc#1221786). - FIPS: Service Level Indicator (bsc#1221365). - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751). - FIPS: Add required selftests: (bsc#1221760). - FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821). - FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827). - FIPS: Zero initialization required (bsc#1221752). - FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696). - FIPS: NIST SP 800-56Brev2 (bsc#1221824). - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: NIST SP 800-56Arev3 (bsc#1221822). - FIPS: Error state has to be enforced (bsc#1221753). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1516,SUSE-SLE-Module-Certifications-15-SP7-2025-1516 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251516-1/ Link for SUSE-SU-2025:1516-1 https://lists.suse.com/pipermail/sle-updates/2025-May/039185.html E-Mail link for SUSE-SU-2025:1516-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1220523 SUSE Bug 1220523 https://bugzilla.suse.com/1220690 SUSE Bug 1220690 https://bugzilla.suse.com/1220693 SUSE Bug 1220693 https://bugzilla.suse.com/1220696 SUSE Bug 1220696 https://bugzilla.suse.com/1221365 SUSE Bug 1221365 https://bugzilla.suse.com/1221751 SUSE Bug 1221751 https://bugzilla.suse.com/1221752 SUSE Bug 1221752 https://bugzilla.suse.com/1221753 SUSE Bug 1221753 https://bugzilla.suse.com/1221760 SUSE Bug 1221760 https://bugzilla.suse.com/1221786 SUSE Bug 1221786 https://bugzilla.suse.com/1221787 SUSE Bug 1221787 https://bugzilla.suse.com/1221821 SUSE Bug 1221821 https://bugzilla.suse.com/1221822 SUSE Bug 1221822 https://bugzilla.suse.com/1221824 SUSE Bug 1221824 https://bugzilla.suse.com/1221827 SUSE Bug 1221827 https://bugzilla.suse.com/1229465 SUSE Bug 1229465 https://www.suse.com/security/cve/CVE-2024-6119/ SUSE CVE CVE-2024-6119 page SUSE Linux Enterprise Module for Certifications 15 SP7 libopenssl-3-fips-provider-3.1.4-150600.5.15.1 libopenssl-3-fips-provider-3.1.4-150600.5.15.1 as a component of SUSE Linux Enterprise Module for Certifications 15 SP7 Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 SUSE Linux Enterprise Module for Certifications 15 SP7:libopenssl-3-fips-provider-3.1.4-150600.5.15.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251516-1/ https://www.suse.com/security/cve/CVE-2024-6119.html CVE-2024-6119 https://bugzilla.suse.com/1229465 SUSE Bug 1229465