[opensuse-factory] openssl new vulnerabilities
HI: A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users. Advisory: http://openssl.org/news/secadv/20160301.txt * Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704) Status: Not vulnerable, :-) SSLv2 is compile time disabled. * Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) Status: Vulnerable, fix needed * Fix memory issues in BIO_*printf functions (CVE-2016-0799) Status: Not vulnerable, openSUSE 's openssl does not use the buggy bundled printf implementation(?!!!) but the one provided by the C library which is hardened and better maintained. HTH. Cristian. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Mar 01, 2016 at 09:34:19PM -0300, Cristian Rodríguez wrote:
HI:
A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users.
Advisory:
http://openssl.org/news/secadv/20160301.txt
* Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Status: Not vulnerable, :-) SSLv2 is compile time disabled.
* Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Status: Vulnerable, fix needed
And updates are on their way. Online updates for 13.2 and Leap 42.1 today, also Tumbleweed hopefully today.
* Fix memory issues in BIO_*printf functions (CVE-2016-0799)
Status: Not vulnerable, openSUSE 's openssl does not use the buggy bundled printf implementation(?!!!) but the one provided by the C library which is hardened and better maintained.
Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mar 02, 2016 at 08:14:08 +0100, Marcus Meissner wrote:
On Tue, Mar 01, 2016 at 09:34:19PM -0300, Cristian Rodríguez wrote:
HI:
A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users.
Advisory:
http://openssl.org/news/secadv/20160301.txt
* Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Status: Not vulnerable, :-) SSLv2 is compile time disabled.
* Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Status: Vulnerable, fix needed And updates are on their way. Online updates for 13.2 and Leap 42.1 today, also Tumbleweed hopefully today. What is the current state of the Tumbleweed OpenSSL update?
Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Mar 4, 2016 at 7:54 PM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Status: Vulnerable, fix needed And updates are on their way. Online updates for 13.2 and Leap 42.1 today, also Tumbleweed hopefully today. What is the current state of the Tumbleweed OpenSSL update?
Updates are in the making.. but do not panic.. triggering that vulnerabilities from remote is very unlikely or not possible. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Mar 04, 2016 at 11:54:19PM +0100, Bjoern Voigt wrote:
On Mar 02, 2016 at 08:14:08 +0100, Marcus Meissner wrote:
On Tue, Mar 01, 2016 at 09:34:19PM -0300, Cristian Rodríguez wrote:
HI:
A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users.
Advisory:
http://openssl.org/news/secadv/20160301.txt
* Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Status: Not vulnerable, :-) SSLv2 is compile time disabled.
* Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Status: Vulnerable, fix needed And updates are on their way. Online updates for 13.2 and Leap 42.1 today, also Tumbleweed hopefully today. What is the current state of the Tumbleweed OpenSSL update?
We had a build problem with python-cryptography, which we fixed and it is in staging. Note that all the "High" issues do not impact Tumbleweed, so I see no specific hurry. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, Mar 05, 2016 at 08:20:40AM +0100, Marcus Meissner wrote:
On Fri, Mar 04, 2016 at 11:54:19PM +0100, Bjoern Voigt wrote:
On Mar 02, 2016 at 08:14:08 +0100, Marcus Meissner wrote:
On Tue, Mar 01, 2016 at 09:34:19PM -0300, Cristian Rodríguez wrote:
HI:
A new set of vulnerabilities were discovered in openSSL, I would like to let you know what is the risk for tumbleweed users.
Advisory:
http://openssl.org/news/secadv/20160301.txt
* Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) * Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) * Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Status: Not vulnerable, :-) SSLv2 is compile time disabled.
* Double-free in DSA code (CVE-2016-0705) * Side channel attack on modular exponentiation (CVE-2016-0702) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Status: Vulnerable, fix needed And updates are on their way. Online updates for 13.2 and Leap 42.1 today, also Tumbleweed hopefully today. What is the current state of the Tumbleweed OpenSSL update?
We had a build problem with python-cryptography, which we fixed and it is in staging.
Note that all the "High" issues do not impact Tumbleweed, so I see no specific hurry.
The new openssl has landed in Tumbleweed. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Bjoern Voigt -
Cristian Rodríguez -
Marcus Meissner