SuSE Local Security Checks : openSUSE: Security Advisory for libressl (openSUSE-SU-2018:2592-1)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.852047

Kategorie: SuSE Local Security Checks

Titel: openSUSE: Security Advisory for libressl (openSUSE-SU-2018:2592-1)

Zusammenfassung: The remote host is missing an update for the 'libressl'; package(s) announced via the openSUSE-SU-2018:2592-1 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'libressl'
package(s) announced via the openSUSE-SU-2018:2592-1 advisory.

Vulnerability Insight:
This update for libressl to version 2.8.0 fixes the following issues:

Security issues fixed:

- CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and
ECDSA signatures. (boo#1097779)

- Reject excessively large primes in DH key generation.

Other bugs fixed:

- Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry.

- Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning'
parameters so that an unverified certificate cannot be used if it fails
verification.

- Fixed a potential memory leak on failure in ASN1_item_digest.

- Fixed a potential memory alignment crash in asn1_item_combine_free.

- Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.

- Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.

- Added const annotations to many existing APIs from OpenSSL, making
interoperability easier for downstream applications.

- Added a missing bounds check in c2i_ASN1_BIT_STRING.

- Removed three remaining single DES cipher suites.

- Fixed a potential leak/incorrect return value in DSA signature
generation.

- Added a blinding value when generating DSA and ECDSA signatures, in
order to reduce the possibility of a side-channel attack leaking the
private key.

- Added ECC constant time scalar multiplication support.

- Revised the implementation of RSASSA-PKCS1-v1_5 to match the
specification in RFC 8017.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended
installation methods
like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-950=1

Affected Software/OS:
libressl on openSUSE Leap 15.0.

Solution:
Please install the updated package(s).

CVSS Score:
1.9

CVSS Vector:
AV:L/AC:M/Au:N/C:P/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2018-12434

Copyright Copyright (C) 2018 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.852047
Kategorie:	SuSE Local Security Checks
Titel:	openSUSE: Security Advisory for libressl (openSUSE-SU-2018:2592-1)
Zusammenfassung:	The remote host is missing an update for the 'libressl'; package(s) announced via the openSUSE-SU-2018:2592-1 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'libressl' package(s) announced via the openSUSE-SU-2018:2592-1 advisory. Vulnerability Insight: This update for libressl to version 2.8.0 fixes the following issues: Security issues fixed: - CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and ECDSA signatures. (boo#1097779) - Reject excessively large primes in DH key generation. Other bugs fixed: - Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. - Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. - Fixed a potential memory leak on failure in ASN1_item_digest. - Fixed a potential memory alignment crash in asn1_item_combine_free. - Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. - Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. - Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. - Added a missing bounds check in c2i_ASN1_BIT_STRING. - Removed three remaining single DES cipher suites. - Fixed a potential leak/incorrect return value in DSA signature generation. - Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. - Added ECC constant time scalar multiplication support. - Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-950=1 Affected Software/OS: libressl on openSUSE Leap 15.0. Solution: Please install the updated package(s). CVSS Score: 1.9 CVSS Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2018-12434
Copyright	Copyright (C) 2018 Greenbone Networks GmbH