Security update for polarssl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0161-1 Final 1 1 2016-01-19T08:03:38Z current 2016-01-19T08:03:38Z 2016-01-19T08:03:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for polarssl This update for polarssl fixes the following issues: * CVE-2015-7575: Disables by default MD5 handshake signatures in TLS 1.2 to prevent the SLOTH attack on TLS 1.2 server authentication (boo#961284) * boo#961290: potential double free during certificate generation The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html E-Mail link for openSUSE-SU-2016:0161-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libpolarssl7-1.3.9-14.1 libpolarssl7-debuginfo-1.3.9-14.1 polarssl-1.3.9-14.1 polarssl-devel-1.3.9-14.1 libpolarssl7-1.3.9-14.1 as a component of openSUSE 13.2 libpolarssl7-debuginfo-1.3.9-14.1 as a component of openSUSE 13.2 polarssl-1.3.9-14.1 as a component of openSUSE 13.2 polarssl-devel-1.3.9-14.1 as a component of openSUSE 13.2 Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision. CVE-2015-7575 openSUSE 13.2:libpolarssl7-1.3.9-14.1 openSUSE 13.2:libpolarssl7-debuginfo-1.3.9-14.1 openSUSE 13.2:polarssl-1.3.9-14.1 openSUSE 13.2:polarssl-devel-1.3.9-14.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html https://www.suse.com/security/cve/CVE-2015-7575.html CVE-2015-7575 https://bugzilla.suse.com/959888 SUSE Bug 959888 https://bugzilla.suse.com/960402 SUSE Bug 960402 https://bugzilla.suse.com/960996 SUSE Bug 960996 https://bugzilla.suse.com/961280 SUSE Bug 961280 https://bugzilla.suse.com/961281 SUSE Bug 961281 https://bugzilla.suse.com/961282 SUSE Bug 961282 https://bugzilla.suse.com/961283 SUSE Bug 961283 https://bugzilla.suse.com/961284 SUSE Bug 961284 https://bugzilla.suse.com/961290 SUSE Bug 961290 https://bugzilla.suse.com/961357 SUSE Bug 961357 https://bugzilla.suse.com/962743 SUSE Bug 962743 https://bugzilla.suse.com/963937 SUSE Bug 963937 https://bugzilla.suse.com/967521 SUSE Bug 967521 https://bugzilla.suse.com/981087 SUSE Bug 981087