-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today the openssl project released a new version of the openssl library (openssl-1.0.1h) that fixes six/seven vulnerabilities. Details about the vulnerabilities can be found in their advisory: http://www.openssl.org/news/secadv_20140605.txt List of issues: 1. SSL/TLS MITM vulnerability (CVE-2014-0224) 2. DTLS recursion flaw (CVE-2014-0221) 3. DTLS invalid fragment vulnerability (CVE-2014-0195) 4. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) 5. SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) 6. Anonymous ECDH denial of service (CVE-2014-3470) 7. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD (CVE-2014-0076) We ship the following openssl versions which are affected by...: - - SLES9: openssl 0.9.7d + SSL/TLS MITM vulnerability (CVE-2014-0224) - - SLE10: openssl 0.9.8a + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) - - SLE11: openssl 0.9.8j + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) + Anonymous ECDH denial of service (CVE-2014-3470) - - Security AddON for SLES11: openssl 1.0.1g + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) + DTLS invalid fragment vulnerability (CVE-2014-0195) + SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) + Anonymous ECDH denial of service (CVE-2014-3470) - - opensuse: openssl 1.0.1* + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) + DTLS invalid fragment vulnerability (CVE-2014-0195) + SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) + Anonymous ECDH denial of service (CVE-2014-3470) An update package for CVE-2014-0076 was released in April 2014, see http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html. DTLS invalid fragment vulnerability (CVE-2014-0195): This issue affects only versions starting from 0.9.8o, therefore 0.9.8j is not affected by this remote buffer overflow. The updates will be released as soon as possible. Best regards, Thomas - -- Thomas Biege <thomas@suse.de>, Team Leader MaintenanceSecurity, CSSLP SUSE LINUX Products GmbH GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 21284 (AG Nürnberg) - -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEVAwUBU5CEfHey5gA9JdPZAQLC0gf/Y4M29yMsWf1fBUZP6VCFbDK03UAT0HhI Srdx4FgSwr3Rda6M52UKqP8HdP2yv9/G30NGHihX7Gz6hStc8G/bvj8RyVGPlUh4 XadWUVztnSct1v68z45Z1zk53XBVsK5lIpxORX04LW0EPQytYAltD7/W4wvNtwBU Y7Ji1WDb+L6sGHyZn9Cp2Zvs30+jraf10MK/L7tYuvdNoOJTVfgrlzt+dfFKIuuW 5Az7KXb8J21CEk4DVhO5CG2ogNjsVR/K7b7vlWFxYorhfkKr1tXi5SKSXooD1WPY ovMhZFfopkKuuor898Xpyzb54Qjcc7eMDS3Pk7jDo9lBifY6loJqLw== =bSsy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org