On Tue, Mar 01, 2016 at 09:34:19PM -0300, Cristian Rodríguez wrote:
HI:
A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users.
Advisory:
http://openssl.org/news/secadv/20160301.txt
* Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Status: Not vulnerable, :-) SSLv2 is compile time disabled.
* Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Status: Vulnerable, fix needed
And updates are on their way. Online updates for 13.2 and Leap 42.1 today, also Tumbleweed hopefully today.
* Fix memory issues in BIO_*printf functions (CVE-2016-0799)
Status: Not vulnerable, openSUSE 's openssl does not use the buggy bundled printf implementation(?!!!) but the one provided by the C library which is hardened and better maintained.
Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org