______________________________________________________________________________ SUSE Security Announcement Package: openssl Announcement-ID: SUSE-SA:2014:002 Date: Tuesday, Apr 8 17:00:00 CET 2014 Affected products: openSUSE 12.3 openSUSE 13.1 Vulnerability Type: remote memory disclosure Rating: critical SUSE default package: yes Cross References: CVE-2014-0160 Content of this advisory: 1) security vulnerability resolved: - remote memory disclosure in openssl problem description 2) affected products 3) solution/workaround 4) special instructions and notes ______________________________________________________________________________ 1) problem description, brief discussion An issue with critical severity in the openssl 1.0.1 library has been identified, under the code name "HeartBleed" (CVE-2014-0160). In openssl 1.0.1 up to and including 1.0.1f, the TLS "Heartbeat" extension could be used to disclose memory of the process handling the SSL/TLS connection in a easily exploitable way. The disclosed memory can include and according to reports did include: - secret key material (for SSL certificates) - passwords and other authentication credentials (e.g. http cookies) - other sensitive data transferred over SSL This problem affected only openSUSE 12.3 and 13.1, which include openssl 1.0.1e. We have released updates for openSUSE 12.3 and 13.1, see the associated automated update notice for package details: http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html For further reading: http://heartbleed.com/ 2) affected products openSUSE 12.3 and 13.1 are affected by this problem. SUSE Linux Enterprise 11 and older products currently include openssl 0.9.8j or older versions, which do not include the TLS Heartbeat extension and thus are not affected by this problem. 3) solution/workaround There is no workaround, please install the supplied updates. 4) special instructions and notes After installing the updates, we strongly advise you to: - Get new SSL certificates for the affected services. - If your SSL service handled password authentication we recommend to initiate password changes ASAP. - Invalidate other sensitive data that may have been stored in the memory of an exposed process, such as cookies or private URLs.