openSUSE-SU-2017:1212-1: moderate: Security update for libressl

8 May 2017

      openSUSE Security Update: Security update for libressl
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:1212-1
Rating:             moderate
References:         #1019334 #968050 
Cross-References:   CVE-2016-0702 CVE-2016-7056
Affected Products:
                    openSUSE Leap 42.1
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for libressl to version 2.5.1 fixes the following issues:

   These security issues were fixed:

   - CVE-2016-0702: Prevent side channel attack on modular exponentiation
     (boo#968050).
   - CVE-2016-7056: Avoid a side-channel cache-timing attack that can leak
     the ECDSA private keys when signing (boo#1019334).

   These non-security issues were fixed:

   - Detect zero-length encrypted session data early
   - Curve25519 Key Exchange support.
   - Support for alternate chains for certificate verification.
   - Added EVP interface for MD5+SHA1 hashes
   - Fixed DTLS client failures when the server sends a certificate request.
   - Corrected handling of padding when upgrading an SSLv2 challenge into an
     SSLv3/TLS connection.
   - Allowed protocols and ciphers to be set on a TLS config object in libtls.

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.1:

      zypper in -t patch openSUSE-2017-560=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE Leap 42.1 (i586 x86_64):

      libcrypto41-2.5.3-13.1
      libcrypto41-debuginfo-2.5.3-13.1
      libressl-2.5.3-13.1
      libressl-debuginfo-2.5.3-13.1
      libressl-debugsource-2.5.3-13.1
      libressl-devel-2.5.3-13.1
      libssl43-2.5.3-13.1
      libssl43-debuginfo-2.5.3-13.1
      libtls15-2.5.3-13.1
      libtls15-debuginfo-2.5.3-13.1

   - openSUSE Leap 42.1 (noarch):

      libressl-devel-doc-2.5.3-13.1

   - openSUSE Leap 42.1 (x86_64):

      libcrypto41-32bit-2.5.3-13.1
      libcrypto41-debuginfo-32bit-2.5.3-13.1
      libressl-devel-32bit-2.5.3-13.1
      libssl43-32bit-2.5.3-13.1
      libssl43-debuginfo-32bit-2.5.3-13.1
      libtls15-32bit-2.5.3-13.1
      libtls15-debuginfo-32bit-2.5.3-13.1

References:

   https://www.suse.com/security/cve/CVE-2016-0702.html
   https://www.suse.com/security/cve/CVE-2016-7056.html
   https://bugzilla.suse.com/1019334
   https://bugzilla.suse.com/968050

openSUSE-SU-2017:1212-1: moderate: Security update for libressl

opensuse-security＠opensuse.org