Security update for compat-openssl098 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:4068-1 Final 1 1 2018-12-11T08:21:22Z current 2018-12-11T08:21:22Z 2018-12-11T08:21:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for compat-openssl098 This update for compat-openssl098 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - CVE-2016-8610: Adjusted current fix and add missing error string (bsc#1110018). - Fixed the 'One and Done' side-channel attack on RSA (bsc#1104789). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP3-2018-2893,SUSE-SLE-DESKTOP-12-SP4-2018-2893,SUSE-SLE-Module-Legacy-12-2018-2893,SUSE-SLE-SAP-12-SP1-2018-2893,SUSE-SLE-SAP-12-SP2-2018-2893,SUSE-SLE-SAP-12-SP3-2018-2893,SUSE-SLE-SAP-12-SP4-2018-2893 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20184068-1/ Link for SUSE-SU-2018:4068-1 https://lists.suse.com/pipermail/sle-security-updates/2018-December/004950.html E-Mail link for SUSE-SU-2018:4068-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1104789 SUSE Bug 1104789 https://bugzilla.suse.com/1110018 SUSE Bug 1110018 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1113652 SUSE Bug 1113652 https://www.suse.com/security/cve/CVE-2016-8610/ SUSE CVE CVE-2016-8610 page https://www.suse.com/security/cve/CVE-2018-0734/ SUSE CVE CVE-2018-0734 page https://www.suse.com/security/cve/CVE-2018-5407/ SUSE CVE CVE-2018-5407 page SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for Legacy 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 libopenssl0_9_8-0.9.8j-106.9.1 libopenssl0_9_8-32bit-0.9.8j-106.9.1 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libopenssl0_9_8-32bit-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 libopenssl0_9_8-32bit-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Module for Legacy 12 libopenssl0_9_8-32bit-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Module for Legacy 12 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libopenssl0_9_8-0.9.8j-106.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. CVE-2016-8610 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.9.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184068-1/ https://www.suse.com/security/cve/CVE-2016-8610.html CVE-2016-8610 https://bugzilla.suse.com/1005878 SUSE Bug 1005878 https://bugzilla.suse.com/1005879 SUSE Bug 1005879 https://bugzilla.suse.com/1110018 SUSE Bug 1110018 https://bugzilla.suse.com/1120592 SUSE Bug 1120592 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 https://bugzilla.suse.com/1148697 SUSE Bug 1148697 https://bugzilla.suse.com/982575 SUSE Bug 982575 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVE-2018-0734 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184068-1/ https://www.suse.com/security/cve/CVE-2018-0734.html CVE-2018-0734 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1113652 SUSE Bug 1113652 https://bugzilla.suse.com/1113742 SUSE Bug 1113742 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1122212 SUSE Bug 1122212 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 https://bugzilla.suse.com/1148697 SUSE Bug 1148697 Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. CVE-2018-5407 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.9.1 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184068-1/ https://www.suse.com/security/cve/CVE-2018-5407.html CVE-2018-5407 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1116195 SUSE Bug 1116195 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 https://bugzilla.suse.com/1148697 SUSE Bug 1148697