Security update for openssl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0442-1 Final 1 1 2016-02-12T09:27:01Z current 2016-02-12T09:27:01Z 2016-02-12T09:27:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl This update for openssl fixes the following issues: - CVE-2015-3197: A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (boo#963415) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160442-1/ Link for SUSE-SU-2016:0442-1 E-Mail link for SUSE-SU-2016:0442-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings libopenssl-devel-1.0.1k-11.78.1 libopenssl-devel-32bit-1.0.1k-11.78.1 libopenssl1_0_0-1.0.1k-11.78.1 libopenssl1_0_0-32bit-1.0.1k-11.78.1 openssl-1.0.1k-11.78.1 openssl-doc-1.0.1k-11.78.1 ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. CVE-2015-3197 low 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://www.suse.com/support/update/announcement/2016/suse-su-20160442-1/ https://www.suse.com/security/cve/CVE-2015-3197.html CVE-2015-3197 https://bugzilla.suse.com/963410 SUSE Bug 963410 https://bugzilla.suse.com/963415 SUSE Bug 963415 https://bugzilla.suse.com/968044 SUSE Bug 968044 https://bugzilla.suse.com/968046 SUSE Bug 968046