Mailinglist Archive: opensuse-security-announce (18 mails)

< Previous Next >
[security-announce] SUSE Security Announcement: openssl "HeartBleed" attack (SUSE-SA:2014:002)
______________________________________________________________________________

SUSE Security Announcement

Package: openssl
Announcement-ID: SUSE-SA:2014:002
Date: Tuesday, Apr 8 17:00:00 CET 2014
Affected products: openSUSE 12.3
openSUSE 13.1
Vulnerability Type: remote memory disclosure
Rating: critical
SUSE default package: yes
Cross References: CVE-2014-0160

Content of this advisory:
1) security vulnerability resolved:
- remote memory disclosure in openssl
problem description
2) affected products
3) solution/workaround
4) special instructions and notes

______________________________________________________________________________

1) problem description, brief discussion

An issue with critical severity in the openssl 1.0.1 library has been
identified, under the code name "HeartBleed" (CVE-2014-0160).

In openssl 1.0.1 up to and including 1.0.1f, the TLS "Heartbeat"
extension could be used to disclose memory of the process handling
the SSL/TLS connection in a easily exploitable way.

The disclosed memory can include and according to reports did include:
- secret key material (for SSL certificates)
- passwords and other authentication credentials (e.g. http cookies)
- other sensitive data transferred over SSL

This problem affected only openSUSE 12.3 and 13.1, which include
openssl 1.0.1e.

We have released updates for openSUSE 12.3 and 13.1, see
the associated automated update notice for package details:

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

For further reading:
http://heartbleed.com/

2) affected products

openSUSE 12.3 and 13.1 are affected by this problem.

SUSE Linux Enterprise 11 and older products currently include openssl
0.9.8j or older versions, which do not include the TLS Heartbeat
extension and thus are not affected by this problem.

3) solution/workaround

There is no workaround, please install the supplied updates.

4) special instructions and notes

After installing the updates, we strongly advise you to:

- Get new SSL certificates for the affected services.

- If your SSL service handled password authentication we recommend
to initiate password changes ASAP.

- Invalidate other sensitive data that may have been stored in the
memory of an exposed process, such as cookies or private URLs.
< Previous Next >
This Thread
  • No further messages