# Security update for openssl-1_1 Announcement ID: SUSE-SU-2024:3905-1 Release Date: 2024-11-04T12:39:19Z Rating: moderate References: * bsc#1220262 * bsc#1224258 * bsc#1224260 * bsc#1224264 * bsc#1224265 * bsc#1224266 * bsc#1224267 * bsc#1224268 * bsc#1224269 * bsc#1224270 * bsc#1224271 * bsc#1224272 * bsc#1224273 * bsc#1224275 * bsc#1228618 * bsc#1228619 * bsc#1228623 Cross-References: * CVE-2023-50782 CVSS scores: * CVE-2023-50782 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-50782 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: * Basesystem Module 15-SP6 * Development Tools Module 15-SP6 * Legacy Module 15-SP6 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability and has 16 security fixes can now be installed. ## Description: This update for openssl-1_1 fixes the following issues: Security fixes: * CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) Other fixes: * FIPS: AES GCM external IV implementation (bsc#1228618) * FIPS: Mark PBKDF2 and HKDF HMAC input keys with size >= 112 bits as approved in the SLI. (bsc#1228623) * FIPS: Enforce KDF in FIPS style (bsc#1224270) * FIPS: Mark HKDF and TLSv1.3 KDF as approved in the SLI (bsc#1228619) * FIPS: The X9.31 scheme is not approved for RSA signature operations in FIPS 186-5. (bsc#1224269) * FIPS: Differentiate the PSS length requirements (bsc#1224275) * FIPS: Mark sigGen and sigVer primitives as non-approved (bsc#1224272) * FIPS: Disable PKCSv1.5 and shake in FIPS mode (bsc#1224271) * FIPS: Mark SHA1 as non-approved in the SLI (bsc#1224266) * FIPS: DH FIPS selftest and safe prime group (bsc#1224264) * FIPS: Remove not needed FIPS DRBG files (bsc#1224268) * FIPS: Add Pair-wise Consistency Test when generating DH key (bsc#1224265) * FIPS: Disallow non-approved KDF types (bsc#1224267) * FIPS: Disallow RSA sigVer with 1024 and ECDSA sigVer/keyVer P-192 (bsc#1224273) * FIPS: DRBG component chaining (bsc#1224258) * FIPS: Align CRNGT_BUFSIZ with Jitter RNG output size (bsc#1224260) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Legacy Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Legacy-15-SP6-2024-3905=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2024-3905=1 openSUSE-SLE-15.6-2024-3905=1 * Basesystem Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-3905=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-3905=1 ## Package List: * Legacy Module 15-SP6 (aarch64 ppc64le s390x x86_64) * openssl-1_1-debugsource-1.1.1w-150600.5.9.1 * openssl-1_1-debuginfo-1.1.1w-150600.5.9.1 * openssl-1_1-1.1.1w-150600.5.9.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * libopenssl-1_1-devel-1.1.1w-150600.5.9.1 * openssl-1_1-1.1.1w-150600.5.9.1 * openssl-1_1-debuginfo-1.1.1w-150600.5.9.1 * libopenssl1_1-debuginfo-1.1.1w-150600.5.9.1 * openssl-1_1-debugsource-1.1.1w-150600.5.9.1 * libopenssl1_1-1.1.1w-150600.5.9.1 * openSUSE Leap 15.6 (x86_64) * libopenssl1_1-32bit-1.1.1w-150600.5.9.1 * libopenssl-1_1-devel-32bit-1.1.1w-150600.5.9.1 * libopenssl1_1-32bit-debuginfo-1.1.1w-150600.5.9.1 * openSUSE Leap 15.6 (noarch) * openssl-1_1-doc-1.1.1w-150600.5.9.1 * openSUSE Leap 15.6 (aarch64_ilp32) * libopenssl1_1-64bit-1.1.1w-150600.5.9.1 * libopenssl-1_1-devel-64bit-1.1.1w-150600.5.9.1 * libopenssl1_1-64bit-debuginfo-1.1.1w-150600.5.9.1 * Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64) * openssl-1_1-debugsource-1.1.1w-150600.5.9.1 * openssl-1_1-debuginfo-1.1.1w-150600.5.9.1 * libopenssl1_1-debuginfo-1.1.1w-150600.5.9.1 * libopenssl1_1-1.1.1w-150600.5.9.1 * Basesystem Module 15-SP6 (x86_64) * libopenssl1_1-32bit-1.1.1w-150600.5.9.1 * libopenssl1_1-32bit-debuginfo-1.1.1w-150600.5.9.1 * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * openssl-1_1-debugsource-1.1.1w-150600.5.9.1 * libopenssl-1_1-devel-1.1.1w-150600.5.9.1 * openssl-1_1-debuginfo-1.1.1w-150600.5.9.1 ## References: * https://www.suse.com/security/cve/CVE-2023-50782.html * https://bugzilla.suse.com/show_bug.cgi?id=1220262 * https://bugzilla.suse.com/show_bug.cgi?id=1224258 * https://bugzilla.suse.com/show_bug.cgi?id=1224260 * https://bugzilla.suse.com/show_bug.cgi?id=1224264 * https://bugzilla.suse.com/show_bug.cgi?id=1224265 * https://bugzilla.suse.com/show_bug.cgi?id=1224266 * https://bugzilla.suse.com/show_bug.cgi?id=1224267 * https://bugzilla.suse.com/show_bug.cgi?id=1224268 * https://bugzilla.suse.com/show_bug.cgi?id=1224269 * https://bugzilla.suse.com/show_bug.cgi?id=1224270 * https://bugzilla.suse.com/show_bug.cgi?id=1224271 * https://bugzilla.suse.com/show_bug.cgi?id=1224272 * https://bugzilla.suse.com/show_bug.cgi?id=1224273 * https://bugzilla.suse.com/show_bug.cgi?id=1224275 * https://bugzilla.suse.com/show_bug.cgi?id=1228618 * https://bugzilla.suse.com/show_bug.cgi?id=1228619 * https://bugzilla.suse.com/show_bug.cgi?id=1228623