Security update for openssl-1_0_0 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:4001-1 Final 1 1 2018-12-06T13:33:24Z current 2018-12-06T13:33:24Z 2018-12-06T13:33:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-1_0_0 This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Added elliptic curve scalar multiplication timing attack defenses that fixes 'PortSmash' (bsc#1113534). Non-security issues fixed: - Added missing timing side channel patch for DSA signature generation (bsc#1113742). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Development-Tools-OBS-15-2018-2862,SUSE-SLE-Module-Legacy-15-2018-2862 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20184001-1/ Link for SUSE-SU-2018:4001-1 https://lists.suse.com/pipermail/sle-security-updates/2018-December/004930.html E-Mail link for SUSE-SU-2018:4001-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1100078 SUSE Bug 1100078 https://bugzilla.suse.com/1112209 SUSE Bug 1112209 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1113652 SUSE Bug 1113652 https://bugzilla.suse.com/1113742 SUSE Bug 1113742 https://www.suse.com/security/cve/CVE-2018-0734/ SUSE CVE CVE-2018-0734 page https://www.suse.com/security/cve/CVE-2018-5407/ SUSE CVE CVE-2018-5407 page SUSE Linux Enterprise Module for Legacy 15 libopenssl-1_0_0-devel-1.0.2p-3.11.1 libopenssl1_0_0-1.0.2p-3.11.1 openssl-1_0_0-1.0.2p-3.11.1 libopenssl-1_0_0-devel-1.0.2p-3.11.1 as a component of SUSE Linux Enterprise Module for Legacy 15 libopenssl1_0_0-1.0.2p-3.11.1 as a component of SUSE Linux Enterprise Module for Legacy 15 openssl-1_0_0-1.0.2p-3.11.1 as a component of SUSE Linux Enterprise Module for Legacy 15 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVE-2018-0734 SUSE Linux Enterprise Module for Legacy 15:libopenssl-1_0_0-devel-1.0.2p-3.11.1 SUSE Linux Enterprise Module for Legacy 15:libopenssl1_0_0-1.0.2p-3.11.1 SUSE Linux Enterprise Module for Legacy 15:openssl-1_0_0-1.0.2p-3.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184001-1/ https://www.suse.com/security/cve/CVE-2018-0734.html CVE-2018-0734 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1113652 SUSE Bug 1113652 https://bugzilla.suse.com/1113742 SUSE Bug 1113742 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1122212 SUSE Bug 1122212 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 https://bugzilla.suse.com/1148697 SUSE Bug 1148697 Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. CVE-2018-5407 SUSE Linux Enterprise Module for Legacy 15:libopenssl-1_0_0-devel-1.0.2p-3.11.1 SUSE Linux Enterprise Module for Legacy 15:libopenssl1_0_0-1.0.2p-3.11.1 SUSE Linux Enterprise Module for Legacy 15:openssl-1_0_0-1.0.2p-3.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184001-1/ https://www.suse.com/security/cve/CVE-2018-5407.html CVE-2018-5407 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1116195 SUSE Bug 1116195 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 https://bugzilla.suse.com/1148697 SUSE Bug 1148697