HI: A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users. Advisory: http://openssl.org/news/secadv/20160301.txt * Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704) Status: Not vulnerable, :-) SSLv2 is compile time disabled. * Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) Status: Vulnerable, fix needed * Fix memory issues in BIO_*printf functions (CVE-2016-0799) Status: Not vulnerable, openSUSE 's openssl does not use the buggy bundled printf implementation(?!!!) but the one provided by the C library which is hardened and better maintained. HTH. Cristian. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org