[Bug 958038] New: Base:System/openssl: Security Update to 1.0.2e suggested
http://bugzilla.opensuse.org/show_bug.cgi?id=958038 Bug ID: 958038 Summary: Base:System/openssl: Security Update to 1.0.2e suggested Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: vcizek@suse.com Reporter: dnh@opensuse.org QA Contact: opensuse-communityscreening@forge.provo.novell.com Found By: --- Blocker: --- CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-1794 see https://openssl.org/news/secadv/20151203.txt At least the "1.0.2a-fips*"-patches need quite a bit of rebasing. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=958038 http://bugzilla.opensuse.org/show_bug.cgi?id=958038#c1 Vítězslav Čížek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS CC| |vcizek@suse.com --- Comment #1 from Vítězslav Čížek <vcizek@suse.com> --- (In reply to David Haller from comment #0)
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-1794
We are aware of the new release and we'll make an update soon. Thanks for reporting anyway.
At least the "1.0.2a-fips*"-patches need quite a bit of rebasing.
Unfortunately yes :-( That delayed the update a bit. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=958038 http://bugzilla.opensuse.org/show_bug.cgi?id=958038#c2 Vítězslav Čížek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |DUPLICATE --- Comment #2 from Vítězslav Čížek <vcizek@suse.com> --- (In reply to Vítězslav Čížek from comment #1)
(In reply to David Haller from comment #0)
At least the "1.0.2a-fips*"-patches need quite a bit of rebasing.
Fortunately, the patch comes from Fedora and their guys already rebased the big patch, so I just pulled it in. Package was submitted to Factory: https://build.opensuse.org/request/show/347504 *** This bug has been marked as a duplicate of bug 957181 *** -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=958038 http://bugzilla.opensuse.org/show_bug.cgi?id=958038#c3 --- Comment #3 from David Haller <dnh@opensuse.org> --- (In reply to Vítězslav Čížek from comment #2)
(In reply to Vítězslav Čížek from comment #1)
(In reply to David Haller from comment #0)
At least the "1.0.2a-fips*"-patches need quite a bit of rebasing.
Fortunately, the patch comes from Fedora and their guys already rebased the big patch, so I just pulled it in.
Package was submitted to Factory: https://build.opensuse.org/request/show/347504
*** This bug has been marked as a duplicate of bug 957181 ***
Wonderful :) I'd like to add though, that those CVEs are more severe than the openssl-team made them. c.f.: https://blog.fefe.de/?ts=a89f47b9 (german), which basically says, "if you offer DHE, e.g. the NSA can guess your private key", and that another is a "double free", and that both should get "severe" or "critical" rating. But, "we" (Fedora, you, fefe, me) reacted in a good way I guess ;) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com