Security update for openssl-1_1 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0476-1 Final 1 1 2021-03-25T22:06:05Z current 2021-03-25T22:06:05Z 2021-03-25T22:06:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-1_1 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-476 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YRCNDGXHP3DJBJKDGVACNKEWGRZDKQRJ/ E-Mail link for openSUSE-SU-2021:0476-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183852 SUSE Bug 1183852 https://www.suse.com/security/cve/CVE-2021-3449/ SUSE CVE CVE-2021-3449 page openSUSE Leap 15.2 libopenssl-1_1-devel-1.1.1d-lp152.7.15.1 libopenssl-1_1-devel-32bit-1.1.1d-lp152.7.15.1 libopenssl1_1-1.1.1d-lp152.7.15.1 libopenssl1_1-32bit-1.1.1d-lp152.7.15.1 libopenssl1_1-hmac-1.1.1d-lp152.7.15.1 libopenssl1_1-hmac-32bit-1.1.1d-lp152.7.15.1 openssl-1_1-1.1.1d-lp152.7.15.1 openssl-1_1-doc-1.1.1d-lp152.7.15.1 libopenssl-1_1-devel-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 libopenssl-1_1-devel-32bit-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 libopenssl1_1-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 libopenssl1_1-32bit-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 libopenssl1_1-hmac-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 libopenssl1_1-hmac-32bit-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 openssl-1_1-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 openssl-1_1-doc-1.1.1d-lp152.7.15.1 as a component of openSUSE Leap 15.2 An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). CVE-2021-3449 openSUSE Leap 15.2:libopenssl-1_1-devel-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:libopenssl-1_1-devel-32bit-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:libopenssl1_1-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:libopenssl1_1-32bit-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:libopenssl1_1-hmac-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:libopenssl1_1-hmac-32bit-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:openssl-1_1-1.1.1d-lp152.7.15.1 openSUSE Leap 15.2:openssl-1_1-doc-1.1.1d-lp152.7.15.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YRCNDGXHP3DJBJKDGVACNKEWGRZDKQRJ/ https://www.suse.com/security/cve/CVE-2021-3449.html CVE-2021-3449 https://bugzilla.suse.com/1183852 SUSE Bug 1183852