SUSE-SU-2015:0305-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2015/suse-su-20150305-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2015:0305-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2015:0305-1
Related
Published
2015-02-04T12:44:14Z
Modified
2015-02-04T12:44:14Z
Summary
Security update for compat-openssl098
Details

The openssl 0.9.8j compatibility package was updated to fix several security vulnerabilities:

CVE-2014-3570: Bignum squaring (BNsqr) may produce incorrect results on some platforms, including x8664.

CVE-2014-3571: Fix crash in dtls1getrecord whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record.

CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted.

CVE-2014-8275: Fixed various certificate fingerprint issues

CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites

CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn't support DH certificates and this typo prohibits skipping of certificate verify message for sign only certificates anyway. (This patch only fixes the wrong condition)

This update also fixes regression caused by CVE-2014-0224.patch (bnc#892403)

References

Affected packages

SUSE:Linux Enterprise Desktop 12 / compat-openssl098

Package

Name
compat-openssl098
Purl
purl:rpm/suse/compat-openssl098&distro=SUSE%20Linux%20Enterprise%20Desktop%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.8j-70.2

Ecosystem specific 

{
    "binaries": [
        {
            "libopenssl0_9_8": "0.9.8j-70.2",
            "libopenssl0_9_8-32bit": "0.9.8j-70.2"
        }
    ]
}

SUSE:Linux Enterprise Module for Legacy 12 / compat-openssl098

Package

Name
compat-openssl098
Purl
purl:rpm/suse/compat-openssl098&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.8j-70.2

Ecosystem specific 

{
    "binaries": [
        {
            "libopenssl0_9_8": "0.9.8j-70.2",
            "libopenssl0_9_8-32bit": "0.9.8j-70.2"
        }
    ]
}