Security update for openssl-1_0_0 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3308-1 Final 1 1 2023-08-14T11:06:31Z current 2023-08-14T11:06:31Z 2023-08-14T11:06:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-1_0_0 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3308,SUSE-SLE-SERVER-12-SP2-BCL-2023-3308 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233308-1/ Link for SUSE-SU-2023:3308-1 https://lists.suse.com/pipermail/sle-security-updates/2023-August/015897.html E-Mail link for SUSE-SU-2023:3308-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1213853 SUSE Bug 1213853 https://www.suse.com/security/cve/CVE-2023-3817/ SUSE CVE CVE-2023-3817 page SUSE Linux Enterprise Server 12 SP2-BCL libopenssl-devel-1.0.2j-60.104.1 libopenssl-devel-32bit-1.0.2j-60.104.1 libopenssl-devel-64bit-1.0.2j-60.104.1 libopenssl1_0_0-1.0.2j-60.104.1 libopenssl1_0_0-32bit-1.0.2j-60.104.1 libopenssl1_0_0-64bit-1.0.2j-60.104.1 libopenssl1_0_0-hmac-1.0.2j-60.104.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.104.1 libopenssl1_0_0-hmac-64bit-1.0.2j-60.104.1 openssl-1.0.2j-60.104.1 openssl-cavs-1.0.2j-60.104.1 openssl-doc-1.0.2j-60.104.1 libopenssl-devel-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-32bit-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-hmac-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libopenssl1_0_0-hmac-32bit-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openssl-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openssl-doc-1.0.2j-60.104.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-3817 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl-devel-1.0.2j-60.104.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-1.0.2j-60.104.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-32bit-1.0.2j-60.104.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-hmac-1.0.2j-60.104.1 SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-hmac-32bit-1.0.2j-60.104.1 SUSE Linux Enterprise Server 12 SP2-BCL:openssl-1.0.2j-60.104.1 SUSE Linux Enterprise Server 12 SP2-BCL:openssl-doc-1.0.2j-60.104.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233308-1/ https://www.suse.com/security/cve/CVE-2023-3817.html CVE-2023-3817 https://bugzilla.suse.com/1213853 SUSE Bug 1213853 https://bugzilla.suse.com/1216922 SUSE Bug 1216922