Security update for libressl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1327-1 Final 1 1 2016-05-18T09:08:33Z current 2016-05-18T09:08:33Z 2016-05-18T09:08:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libressl This libressl update to version 2.2.7 fixes the following issues: Security issues fixed: - Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. [boo#978492, boo#977584] - CVE-2015-3194: Certificate verify crash with missing PSS parameter (boo#957815) - CVE-2015-3195: X509_ATTRIBUTE memory leak (boo#957812) - CVE-2015-5333: Memory Leak (boo#950707) - CVE-2015-5334: Buffer Overflow (boo#950708) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-05/msg00073.html E-Mail link for openSUSE-SU-2016:1327-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libcrypto34-2.2.7-2.13.1 libcrypto34-32bit-2.2.7-2.13.1 libcrypto34-debuginfo-2.2.7-2.13.1 libcrypto34-debuginfo-32bit-2.2.7-2.13.1 libressl-2.2.7-2.13.1 libressl-debuginfo-2.2.7-2.13.1 libressl-debugsource-2.2.7-2.13.1 libressl-devel-2.2.7-2.13.1 libressl-devel-32bit-2.2.7-2.13.1 libressl-devel-doc-2.2.7-2.13.1 libssl33-2.2.7-2.13.1 libssl33-32bit-2.2.7-2.13.1 libssl33-debuginfo-2.2.7-2.13.1 libssl33-debuginfo-32bit-2.2.7-2.13.1 libtls4-2.2.7-2.13.1 libtls4-32bit-2.2.7-2.13.1 libtls4-debuginfo-2.2.7-2.13.1 libtls4-debuginfo-32bit-2.2.7-2.13.1 libcrypto34-2.2.7-2.13.1 as a component of openSUSE 13.2 libcrypto34-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 libcrypto34-debuginfo-2.2.7-2.13.1 as a component of openSUSE 13.2 libcrypto34-debuginfo-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 libressl-2.2.7-2.13.1 as a component of openSUSE 13.2 libressl-debuginfo-2.2.7-2.13.1 as a component of openSUSE 13.2 libressl-debugsource-2.2.7-2.13.1 as a component of openSUSE 13.2 libressl-devel-2.2.7-2.13.1 as a component of openSUSE 13.2 libressl-devel-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 libressl-devel-doc-2.2.7-2.13.1 as a component of openSUSE 13.2 libssl33-2.2.7-2.13.1 as a component of openSUSE 13.2 libssl33-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 libssl33-debuginfo-2.2.7-2.13.1 as a component of openSUSE 13.2 libssl33-debuginfo-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 libtls4-2.2.7-2.13.1 as a component of openSUSE 13.2 libtls4-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 libtls4-debuginfo-2.2.7-2.13.1 as a component of openSUSE 13.2 libtls4-debuginfo-32bit-2.2.7-2.13.1 as a component of openSUSE 13.2 crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. CVE-2015-3194 openSUSE 13.2:libcrypto34-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-32bit-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-2.2.7-2.13.1 openSUSE 13.2:libressl-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libressl-debugsource-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-doc-2.2.7-2.13.1 openSUSE 13.2:libssl33-2.2.7-2.13.1 openSUSE 13.2:libssl33-32bit-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-2.2.7-2.13.1 openSUSE 13.2:libtls4-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-32bit-2.2.7-2.13.1 important 4.9 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00073.html https://www.suse.com/security/cve/CVE-2015-3194.html CVE-2015-3194 https://bugzilla.suse.com/957812 SUSE Bug 957812 https://bugzilla.suse.com/957815 SUSE Bug 957815 https://bugzilla.suse.com/958768 SUSE Bug 958768 https://bugzilla.suse.com/976341 SUSE Bug 976341 https://bugzilla.suse.com/990370 SUSE Bug 990370 The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. CVE-2015-3195 openSUSE 13.2:libcrypto34-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-32bit-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-2.2.7-2.13.1 openSUSE 13.2:libressl-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libressl-debugsource-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-doc-2.2.7-2.13.1 openSUSE 13.2:libssl33-2.2.7-2.13.1 openSUSE 13.2:libssl33-32bit-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-2.2.7-2.13.1 openSUSE 13.2:libtls4-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-32bit-2.2.7-2.13.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00073.html https://www.suse.com/security/cve/CVE-2015-3195.html CVE-2015-3195 https://bugzilla.suse.com/923755 SUSE Bug 923755 https://bugzilla.suse.com/957812 SUSE Bug 957812 https://bugzilla.suse.com/957815 SUSE Bug 957815 https://bugzilla.suse.com/958768 SUSE Bug 958768 https://bugzilla.suse.com/963977 SUSE Bug 963977 https://bugzilla.suse.com/986238 SUSE Bug 986238 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2015-5333 openSUSE 13.2:libcrypto34-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-32bit-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-2.2.7-2.13.1 openSUSE 13.2:libressl-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libressl-debugsource-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-doc-2.2.7-2.13.1 openSUSE 13.2:libssl33-2.2.7-2.13.1 openSUSE 13.2:libssl33-32bit-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-2.2.7-2.13.1 openSUSE 13.2:libtls4-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-32bit-2.2.7-2.13.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00073.html https://www.suse.com/security/cve/CVE-2015-5333.html CVE-2015-5333 https://bugzilla.suse.com/950707 SUSE Bug 950707 https://bugzilla.suse.com/950708 SUSE Bug 950708 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2015-5334 openSUSE 13.2:libcrypto34-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-32bit-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libcrypto34-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-2.2.7-2.13.1 openSUSE 13.2:libressl-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libressl-debugsource-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-32bit-2.2.7-2.13.1 openSUSE 13.2:libressl-devel-doc-2.2.7-2.13.1 openSUSE 13.2:libssl33-2.2.7-2.13.1 openSUSE 13.2:libssl33-32bit-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libssl33-debuginfo-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-2.2.7-2.13.1 openSUSE 13.2:libtls4-32bit-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-2.2.7-2.13.1 openSUSE 13.2:libtls4-debuginfo-32bit-2.2.7-2.13.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00073.html https://www.suse.com/security/cve/CVE-2015-5334.html CVE-2015-5334 https://bugzilla.suse.com/950707 SUSE Bug 950707 https://bugzilla.suse.com/950708 SUSE Bug 950708