| Revision Date: | 2015-01-30 | Version: | 1 |
| Title: | Security update for openssl (Moderate) |
| Description: |
OpenSSL was updated to fix security issues and also provide FIPS compliance.
Security issues fixed: CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect results on some platforms, including x86_64.
CVE-2014-3571: Fixed crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record.
CVE-2014-3572: No longer accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted.
CVE-2014-8275: Fixed various certificate fingerprint issues.
CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites.
CVE-2015-0205: Fix to prevent use of DH client certificates without sending certificate verify message.
CVE-2015-0206: A memory leak could have occured in dtls1_buffer_record.
Bugfixes: - Do not advertise curves we don't support (bsc#906878)
FIPS changes: - Make RSA2 key generation FIPS 186-4 compliant (bsc#901902)
- X9.31 rand method is not allowed in FIPS mode.
- Do not allow dynamic ENGINEs loading in FIPS mode.
- Added a locking hack which prevents hangs in FIPS mode (bsc#895129)
- In non-FIPS RSA key generation, mirror the maximum and minimum limiters from FIPS rsa generation to meet Common Criteria and BSI TR requirements on minimum and maximum distances between p and q. (bsc#908362)
- Do constant reseeding from /dev/urandom; for every random byte pulled, seed with one byte from /dev/urandom, also change RAND_poll to pull the full state size of the SSLEAY DRBG to fulfil Common Criteria requirements. (bsc#908372)
FIPS mode can be enabled by either using the environment variable OPENSSL_FORCE_FIPS_MODE=1 or supplying the 'fips=1' parameter on the kernel boot commandline.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | 855676
895129
901902
906878
908362
908372
912014
912015
912018
912292
912293
912294
912296
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8275
CVE-2015-0204
CVE-2015-0205
CVE-2015-0206
|
| Platform(s): | SUSE Linux Enterprise Desktop 12
| Product(s): | |
| Definition Synopsis |
| SUSE Linux Enterprise Desktop 12 is installed AND Package Information
libopenssl1_0_0-1.0.1i-17.1 is installed
OR libopenssl1_0_0-32bit-1.0.1i-17.1 is installed
OR openssl-1.0.1i-17.1 is installed
|