Security update for openssl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2387-1 Final 1 1 2016-09-26T14:01:02Z current 2016-09-26T14:01:02Z 2016-09-26T14:01:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl This update for openssl fixes the following issues: OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) Severity: High * OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (bsc#999666) Severity: Low * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575) * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249) * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844) * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419) * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749) * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819) * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359) * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324) * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377) * Certificate message OOB reads (CVE-2016-6306) (bsc#999668) More information can be found on: https://www.openssl.org/news/secadv/20160922.txt Also following bugs were fixed: * update expired S/MIME certs (bsc#979475) * improve s390x performance (bsc#982745) * allow >= 64GB AESGCM transfers (bsc#988591) * fix crash in print_notice (bsc#998190) * resume reading from /dev/urandom when interrupted by a signal (bsc#995075) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SAP-12-2016-1386,SUSE-SLE-SERVER-12-2016-1386 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ Link for SUSE-SU-2016:2387-1 https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html E-Mail link for SUSE-SU-2016:2387-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/979475 SUSE Bug 979475 https://bugzilla.suse.com/982575 SUSE Bug 982575 https://bugzilla.suse.com/982745 SUSE Bug 982745 https://bugzilla.suse.com/983249 SUSE Bug 983249 https://bugzilla.suse.com/988591 SUSE Bug 988591 https://bugzilla.suse.com/990419 SUSE Bug 990419 https://bugzilla.suse.com/993819 SUSE Bug 993819 https://bugzilla.suse.com/994749 SUSE Bug 994749 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995075 SUSE Bug 995075 https://bugzilla.suse.com/995324 SUSE Bug 995324 https://bugzilla.suse.com/995359 SUSE Bug 995359 https://bugzilla.suse.com/995377 SUSE Bug 995377 https://bugzilla.suse.com/998190 SUSE Bug 998190 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999666 SUSE Bug 999666 https://bugzilla.suse.com/999668 SUSE Bug 999668 https://www.suse.com/security/cve/CVE-2016-2177/ SUSE CVE CVE-2016-2177 page https://www.suse.com/security/cve/CVE-2016-2178/ SUSE CVE CVE-2016-2178 page https://www.suse.com/security/cve/CVE-2016-2179/ SUSE CVE CVE-2016-2179 page https://www.suse.com/security/cve/CVE-2016-2180/ SUSE CVE CVE-2016-2180 page https://www.suse.com/security/cve/CVE-2016-2181/ SUSE CVE CVE-2016-2181 page https://www.suse.com/security/cve/CVE-2016-2182/ SUSE CVE CVE-2016-2182 page https://www.suse.com/security/cve/CVE-2016-2183/ SUSE CVE CVE-2016-2183 page https://www.suse.com/security/cve/CVE-2016-6302/ SUSE CVE CVE-2016-6302 page https://www.suse.com/security/cve/CVE-2016-6303/ SUSE CVE CVE-2016-6303 page https://www.suse.com/security/cve/CVE-2016-6304/ SUSE CVE CVE-2016-6304 page https://www.suse.com/security/cve/CVE-2016-6306/ SUSE CVE CVE-2016-6306 page SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for SAP Applications 12 libopenssl1_0_0-1.0.1i-27.21.1 libopenssl1_0_0-32bit-1.0.1i-27.21.1 libopenssl1_0_0-hmac-1.0.1i-27.21.1 libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 openssl-1.0.1i-27.21.1 openssl-doc-1.0.1i-27.21.1 libopenssl1_0_0-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server 12-LTSS libopenssl1_0_0-32bit-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server 12-LTSS libopenssl1_0_0-hmac-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server 12-LTSS libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server 12-LTSS openssl-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server 12-LTSS openssl-doc-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server 12-LTSS libopenssl1_0_0-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libopenssl1_0_0-32bit-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libopenssl1_0_0-hmac-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openssl-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openssl-doc-1.0.1i-27.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c. CVE-2016-2177 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2177.html CVE-2016-2177 https://bugzilla.suse.com/982575 SUSE Bug 982575 https://bugzilla.suse.com/999075 SUSE Bug 999075 https://bugzilla.suse.com/999665 SUSE Bug 999665 The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVE-2016-2178 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2178.html CVE-2016-2178 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/983249 SUSE Bug 983249 https://bugzilla.suse.com/983519 SUSE Bug 983519 https://bugzilla.suse.com/999665 SUSE Bug 999665 The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. CVE-2016-2179 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2179.html CVE-2016-2179 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/999665 SUSE Bug 999665 The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. CVE-2016-2180 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2180.html CVE-2016-2180 https://bugzilla.suse.com/1003811 SUSE Bug 1003811 https://bugzilla.suse.com/990419 SUSE Bug 990419 https://bugzilla.suse.com/999665 SUSE Bug 999665 The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c. CVE-2016-2181 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2181.html CVE-2016-2181 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/994749 SUSE Bug 994749 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/999665 SUSE Bug 999665 The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVE-2016-2182 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 3.6 AV:N/AC:H/Au:S/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2182.html CVE-2016-2182 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/993819 SUSE Bug 993819 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995959 SUSE Bug 995959 https://bugzilla.suse.com/999665 SUSE Bug 999665 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. CVE-2016-2183 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-2183.html CVE-2016-2183 https://bugzilla.suse.com/1001912 SUSE Bug 1001912 https://bugzilla.suse.com/1024218 SUSE Bug 1024218 https://bugzilla.suse.com/1027038 SUSE Bug 1027038 https://bugzilla.suse.com/1034689 SUSE Bug 1034689 https://bugzilla.suse.com/1056614 SUSE Bug 1056614 https://bugzilla.suse.com/1171693 SUSE Bug 1171693 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995359 SUSE Bug 995359 The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. CVE-2016-6302 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-6302.html CVE-2016-6302 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995324 SUSE Bug 995324 https://bugzilla.suse.com/999665 SUSE Bug 999665 Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVE-2016-6303 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-6303.html CVE-2016-6303 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/1115893 SUSE Bug 1115893 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995377 SUSE Bug 995377 https://bugzilla.suse.com/999665 SUSE Bug 999665 Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. CVE-2016-6304 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-6304.html CVE-2016-6304 https://bugzilla.suse.com/1001706 SUSE Bug 1001706 https://bugzilla.suse.com/1003811 SUSE Bug 1003811 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/1005579 SUSE Bug 1005579 https://bugzilla.suse.com/1021375 SUSE Bug 1021375 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999666 SUSE Bug 999666 The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. CVE-2016-6306 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server 12-LTSS:openssl-doc-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-1.0.1i-27.21.1 SUSE Linux Enterprise Server for SAP Applications 12:openssl-doc-1.0.1i-27.21.1 important 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162387-1/ https://www.suse.com/security/cve/CVE-2016-6306.html CVE-2016-6306 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999668 SUSE Bug 999668