Security update for compat-openssl097g SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2534-1 Final 1 1 2018-08-28T09:05:06Z current 2018-08-28T09:05:06Z 2018-08-28T09:05:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for compat-openssl097g This update for compat-openssl097g fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could have resulted in DoS (bsc#1087102) This non-security issue was fixed: - Fixed crash in DES_fcrypt (bsc#1065363) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slesappsp4-compat-openssl097g-13753 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182534-1/ Link for SUSE-SU-2018:2534-1 https://www.suse.com/support/update/announcement/2018/suse-su-20182534-1.html E-Mail link for SUSE-SU-2018:2534-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1065363 SUSE Bug 1065363 https://bugzilla.suse.com/1087102 SUSE Bug 1087102 https://bugzilla.suse.com/1097158 SUSE Bug 1097158 https://www.suse.com/security/cve/CVE-2018-0732/ SUSE CVE CVE-2018-0732 page https://www.suse.com/security/cve/CVE-2018-0739/ SUSE CVE CVE-2018-0739 page SUSE Linux Enterprise Server for SAP Applications 11 SP4 compat-openssl097g-0.9.7g-146.22.51.5.1 compat-openssl097g-32bit-0.9.7g-146.22.51.5.1 compat-openssl097g-0.9.7g-146.22.51.5.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 compat-openssl097g-32bit-0.9.7g-146.22.51.5.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). CVE-2018-0732 SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-0.9.7g-146.22.51.5.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-32bit-0.9.7g-146.22.51.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182534-1/ https://www.suse.com/security/cve/CVE-2018-0732.html CVE-2018-0732 https://bugzilla.suse.com/1077628 SUSE Bug 1077628 https://bugzilla.suse.com/1097158 SUSE Bug 1097158 https://bugzilla.suse.com/1099502 SUSE Bug 1099502 https://bugzilla.suse.com/1106692 SUSE Bug 1106692 https://bugzilla.suse.com/1108542 SUSE Bug 1108542 https://bugzilla.suse.com/1110163 SUSE Bug 1110163 https://bugzilla.suse.com/1112097 SUSE Bug 1112097 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1148697 SUSE Bug 1148697 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). CVE-2018-0739 SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-0.9.7g-146.22.51.5.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:compat-openssl097g-32bit-0.9.7g-146.22.51.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182534-1/ https://www.suse.com/security/cve/CVE-2018-0739.html CVE-2018-0739 https://bugzilla.suse.com/1087102 SUSE Bug 1087102 https://bugzilla.suse.com/1089997 SUSE Bug 1089997 https://bugzilla.suse.com/1094291 SUSE Bug 1094291 https://bugzilla.suse.com/1108542 SUSE Bug 1108542