Security update for libressl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1830-2 Final 1 1 2015-10-19T11:28:33Z current 2015-10-19T11:28:33Z 2015-10-19T11:28:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libressl libressl was updated to fix two security issues. These security issues were fixed: - CVE-2015-5333: Memory leak when decoding X.509 certificates (boo#950707) - CVE-2015-5334: Buffer overflow when decoding X.509 certificates (boo#950708) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-10/msg00055.html E-Mail link for openSUSE-SU-2015:1830-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libcrypto36-2.3.0-3.1 libcrypto36-32bit-2.3.0-3.1 libressl-2.3.0-3.1 libressl-devel-2.3.0-3.1 libressl-devel-32bit-2.3.0-3.1 libressl-devel-doc-2.3.0-3.1 libssl37-2.3.0-3.1 libssl37-32bit-2.3.0-3.1 libtls9-2.3.0-3.1 libtls9-32bit-2.3.0-3.1 libcrypto36-2.3.0-3.1 as a component of openSUSE Leap 42.1 libcrypto36-32bit-2.3.0-3.1 as a component of openSUSE Leap 42.1 libressl-2.3.0-3.1 as a component of openSUSE Leap 42.1 libressl-devel-2.3.0-3.1 as a component of openSUSE Leap 42.1 libressl-devel-32bit-2.3.0-3.1 as a component of openSUSE Leap 42.1 libressl-devel-doc-2.3.0-3.1 as a component of openSUSE Leap 42.1 libssl37-2.3.0-3.1 as a component of openSUSE Leap 42.1 libssl37-32bit-2.3.0-3.1 as a component of openSUSE Leap 42.1 libtls9-2.3.0-3.1 as a component of openSUSE Leap 42.1 libtls9-32bit-2.3.0-3.1 as a component of openSUSE Leap 42.1 Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (memory consumption) via a large number of ASN.1 object identifiers in X.509 certificates. CVE-2015-5333 openSUSE Leap 42.1:libcrypto36-2.3.0-3.1 openSUSE Leap 42.1:libcrypto36-32bit-2.3.0-3.1 openSUSE Leap 42.1:libressl-2.3.0-3.1 openSUSE Leap 42.1:libressl-devel-2.3.0-3.1 openSUSE Leap 42.1:libressl-devel-32bit-2.3.0-3.1 openSUSE Leap 42.1:libressl-devel-doc-2.3.0-3.1 openSUSE Leap 42.1:libssl37-2.3.0-3.1 openSUSE Leap 42.1:libssl37-32bit-2.3.0-3.1 openSUSE Leap 42.1:libtls9-2.3.0-3.1 openSUSE Leap 42.1:libtls9-32bit-2.3.0-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-10/msg00055.html https://www.suse.com/security/cve/CVE-2015-5333.html CVE-2015-5333 https://bugzilla.suse.com/950707 SUSE Bug 950707 https://bugzilla.suse.com/950708 SUSE Bug 950708 Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (program crash) or possible execute arbitrary code via a crafted X.509 certificate, which triggers a stack-based buffer overflow. Note: this vulnerability exists because of an incorrect fix for CVE-2014-3508. CVE-2015-5334 openSUSE Leap 42.1:libcrypto36-2.3.0-3.1 openSUSE Leap 42.1:libcrypto36-32bit-2.3.0-3.1 openSUSE Leap 42.1:libressl-2.3.0-3.1 openSUSE Leap 42.1:libressl-devel-2.3.0-3.1 openSUSE Leap 42.1:libressl-devel-32bit-2.3.0-3.1 openSUSE Leap 42.1:libressl-devel-doc-2.3.0-3.1 openSUSE Leap 42.1:libssl37-2.3.0-3.1 openSUSE Leap 42.1:libssl37-32bit-2.3.0-3.1 openSUSE Leap 42.1:libtls9-2.3.0-3.1 openSUSE Leap 42.1:libtls9-32bit-2.3.0-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-10/msg00055.html https://www.suse.com/security/cve/CVE-2015-5334.html CVE-2015-5334 https://bugzilla.suse.com/950707 SUSE Bug 950707 https://bugzilla.suse.com/950708 SUSE Bug 950708