Security update for openssl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2928-2 Final 1 1 2018-10-18T12:49:50Z current 2018-10-18T12:49:50Z 2018-10-18T12:49:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SERVER-12-SP2-BCL-2018-2069 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182928-2/ Link for SUSE-SU-2018:2928-2 https://lists.suse.com/pipermail/sle-security-updates/2018-October/004729.html E-Mail link for SUSE-SU-2018:2928-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1089039 SUSE Bug 1089039 https://bugzilla.suse.com/1101246 SUSE Bug 1101246 https://bugzilla.suse.com/1101470 SUSE Bug 1101470 https://bugzilla.suse.com/1104789 SUSE Bug 1104789 https://bugzilla.suse.com/1106197 SUSE Bug 1106197 https://bugzilla.suse.com/997043 SUSE Bug 997043 https://www.suse.com/security/cve/CVE-2018-0737/ SUSE CVE CVE-2018-0737 page SUSE Linux Enterprise Server 12 SP2-BCL libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-hmac-1.0.2j-60.39.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-doc-1.0.2j-60.39.1 libopenssl-devel-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-32bit-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-hmac-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openssl-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openssl-doc-1.0.2j-60.39.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o). CVE-2018-0737 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl-devel-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-32bit-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-hmac-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12 SP2-BCL:openssl-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12 SP2-BCL:openssl-doc-1.0.2j-60.39.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182928-2/ https://www.suse.com/security/cve/CVE-2018-0737.html CVE-2018-0737 https://bugzilla.suse.com/1089039 SUSE Bug 1089039 https://bugzilla.suse.com/1089041 SUSE Bug 1089041 https://bugzilla.suse.com/1089044 SUSE Bug 1089044 https://bugzilla.suse.com/1089045 SUSE Bug 1089045 https://bugzilla.suse.com/1108542 SUSE Bug 1108542 https://bugzilla.suse.com/1123780 SUSE Bug 1123780 https://bugzilla.suse.com/1126909 SUSE Bug 1126909