Security update for libressl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1212-1 Final 1 1 2017-05-08T11:39:01Z current 2017-05-08T11:39:01Z 2017-05-08T11:39:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libressl This update for libressl to version 2.5.1 fixes the following issues: These security issues were fixed: - CVE-2016-0702: Prevent side channel attack on modular exponentiation (boo#968050). - CVE-2016-7056: Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing (boo#1019334). These non-security issues were fixed: - Detect zero-length encrypted session data early - Curve25519 Key Exchange support. - Support for alternate chains for certificate verification. - Added EVP interface for MD5+SHA1 hashes - Fixed DTLS client failures when the server sends a certificate request. - Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. - Allowed protocols and ciphers to be set on a TLS config object in libtls. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-05/msg00027.html E-Mail link for openSUSE-SU-2017:1212-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libcrypto41-2.5.3-13.1 libcrypto41-32bit-2.5.3-13.1 libressl-2.5.3-13.1 libressl-devel-2.5.3-13.1 libressl-devel-32bit-2.5.3-13.1 libressl-devel-doc-2.5.3-13.1 libssl43-2.5.3-13.1 libssl43-32bit-2.5.3-13.1 libtls15-2.5.3-13.1 libtls15-32bit-2.5.3-13.1 libcrypto41-2.5.3-13.1 as a component of openSUSE Leap 42.1 libcrypto41-32bit-2.5.3-13.1 as a component of openSUSE Leap 42.1 libressl-2.5.3-13.1 as a component of openSUSE Leap 42.1 libressl-devel-2.5.3-13.1 as a component of openSUSE Leap 42.1 libressl-devel-32bit-2.5.3-13.1 as a component of openSUSE Leap 42.1 libressl-devel-doc-2.5.3-13.1 as a component of openSUSE Leap 42.1 libssl43-2.5.3-13.1 as a component of openSUSE Leap 42.1 libssl43-32bit-2.5.3-13.1 as a component of openSUSE Leap 42.1 libtls15-2.5.3-13.1 as a component of openSUSE Leap 42.1 libtls15-32bit-2.5.3-13.1 as a component of openSUSE Leap 42.1 The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack. CVE-2016-0702 openSUSE Leap 42.1:libcrypto41-2.5.3-13.1 openSUSE Leap 42.1:libcrypto41-32bit-2.5.3-13.1 openSUSE Leap 42.1:libressl-2.5.3-13.1 openSUSE Leap 42.1:libressl-devel-2.5.3-13.1 openSUSE Leap 42.1:libressl-devel-32bit-2.5.3-13.1 openSUSE Leap 42.1:libressl-devel-doc-2.5.3-13.1 openSUSE Leap 42.1:libssl43-2.5.3-13.1 openSUSE Leap 42.1:libssl43-32bit-2.5.3-13.1 openSUSE Leap 42.1:libtls15-2.5.3-13.1 openSUSE Leap 42.1:libtls15-32bit-2.5.3-13.1 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00027.html https://www.suse.com/security/cve/CVE-2016-0702.html CVE-2016-0702 https://bugzilla.suse.com/1007806 SUSE Bug 1007806 https://bugzilla.suse.com/968044 SUSE Bug 968044 https://bugzilla.suse.com/968050 SUSE Bug 968050 https://bugzilla.suse.com/971238 SUSE Bug 971238 https://bugzilla.suse.com/990370 SUSE Bug 990370 A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys. CVE-2016-7056 openSUSE Leap 42.1:libcrypto41-2.5.3-13.1 openSUSE Leap 42.1:libcrypto41-32bit-2.5.3-13.1 openSUSE Leap 42.1:libressl-2.5.3-13.1 openSUSE Leap 42.1:libressl-devel-2.5.3-13.1 openSUSE Leap 42.1:libressl-devel-32bit-2.5.3-13.1 openSUSE Leap 42.1:libressl-devel-doc-2.5.3-13.1 openSUSE Leap 42.1:libssl43-2.5.3-13.1 openSUSE Leap 42.1:libssl43-32bit-2.5.3-13.1 openSUSE Leap 42.1:libtls15-2.5.3-13.1 openSUSE Leap 42.1:libtls15-32bit-2.5.3-13.1 moderate 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00027.html https://www.suse.com/security/cve/CVE-2016-7056.html CVE-2016-7056 https://bugzilla.suse.com/1005878 SUSE Bug 1005878 https://bugzilla.suse.com/1018910 SUSE Bug 1018910 https://bugzilla.suse.com/1019334 SUSE Bug 1019334