Security update for libtcnative-1-0 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:14014-1 Final 1 1 2019-04-09T09:17:42Z current 2019-04-09T09:17:42Z 2019-04-09T09:17:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libtcnative-1-0 This update for libtcnative-1-0 to version 1.1.34 fixes the following issues: - CVE-2017-15698: Fixed an improper handling of fields with more than 127 bytes which could allow invalid client certificates to be accepted (bsc#1078679). - CVE-2018-8019: When using an OCSP responder did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS (bsc#1103348). - CVE-2018-8020: Did not properly check OCSP pre-produced responses. Revoked client certificates may have not been properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS (bsc#1103347). For a complete list of changes please see http://tomcat.apache.org/native-1.1-doc/miscellaneous/changelog.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-libtcnative-1-0-14014,slessp4-libtcnative-1-0-14014 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-201914014-1/ Link for SUSE-SU-2019:14014-1 https://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html E-Mail link for SUSE-SU-2019:14014-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1078679 SUSE Bug 1078679 https://bugzilla.suse.com/1103347 SUSE Bug 1103347 https://bugzilla.suse.com/1103348 SUSE Bug 1103348 https://www.suse.com/security/cve/CVE-2017-15698/ SUSE CVE CVE-2017-15698 page https://www.suse.com/security/cve/CVE-2018-8019/ SUSE CVE CVE-2018-8019 page https://www.suse.com/security/cve/CVE-2018-8020/ SUSE CVE CVE-2018-8020 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS libtcnative-1-0-1.3.4-12.5.5.2 libtcnative-1-0-1.3.4-12.5.5.2 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 libtcnative-1-0-1.3.4-12.5.5.2 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. CVE-2017-15698 SUSE Linux Enterprise Point of Sale 11 SP3:libtcnative-1-0-1.3.4-12.5.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libtcnative-1-0-1.3.4-12.5.5.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201914014-1/ https://www.suse.com/security/cve/CVE-2017-15698.html CVE-2017-15698 https://bugzilla.suse.com/1078679 SUSE Bug 1078679 When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability. CVE-2018-8019 SUSE Linux Enterprise Point of Sale 11 SP3:libtcnative-1-0-1.3.4-12.5.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libtcnative-1-0-1.3.4-12.5.5.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201914014-1/ https://www.suse.com/security/cve/CVE-2018-8019.html CVE-2018-8019 https://bugzilla.suse.com/1103348 SUSE Bug 1103348 Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability. CVE-2018-8020 SUSE Linux Enterprise Point of Sale 11 SP3:libtcnative-1-0-1.3.4-12.5.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libtcnative-1-0-1.3.4-12.5.5.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201914014-1/ https://www.suse.com/security/cve/CVE-2018-8020.html CVE-2018-8020 https://bugzilla.suse.com/1103347 SUSE Bug 1103347