SUSE-SU-2018:2956-1 -- SLES libopenssl-1_1-devel, libopenssl1_1, libopenssl-devel, opensslID: oval:org.secpod.oval:def:89049636 | Date: (C)2023-12-20 (M)2024-04-17 |
Class: PATCH | Family: unix |
This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty pass phrases. - Certificate time validation enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl Provide so the packages that require the openssl binary can require this instead of the new openssl meta package
Platform: |
SUSE Linux Enterprise Server 15 |
SUSE Linux Enterprise Desktop 15 |
Product: |
libopenssl-1_1-devel |
libopenssl1_1 |
libopenssl-devel |
openssl |