openSUSE Security Update : openssl (openSUSE-SU-2015:0130-1) (FREAK)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

openssl was updated to 1.0.1k to fix various security issues and bugs.

More information can be found in the openssl advisory:
http://openssl.org/news/secadv/20150108.txt

Following issues were fixed :

- CVE-2014-3570 (bsc#912296): Bignum squaring (BN_sqr) may
have produced incorrect results on some platforms,
including x86_64.

- CVE-2014-3571 (bsc#912294): Fixed crash in
dtls1_get_record whilst in the listen state where you
get two separate reads performed - one for the header
and one for the body of the handshake record.

- CVE-2014-3572 (bsc#912015): Don't accept a handshake
using an ephemeral ECDH ciphersuites with the server key
exchange message omitted.

- CVE-2014-8275 (bsc#912018): Fixed various certificate
fingerprint issues.

- CVE-2015-0204 (bsc#912014): Only allow ephemeral RSA
keys in export ciphersuites

- CVE-2015-0205 (bsc#912293): A fixwas added to prevent
use of DH client certificates without sending
certificate verify message.

- CVE-2015-0206 (bsc#912292): A memory leak was fixed in
dtls1_buffer_record.

See also :

http://lists.opensuse.org/opensuse-updates/2015-01/msg00068.html
http://openssl.org/news/secadv/20150108.txt
https://bugzilla.opensuse.org/show_bug.cgi?id=911399
https://bugzilla.opensuse.org/show_bug.cgi?id=912014
https://bugzilla.opensuse.org/show_bug.cgi?id=912015
https://bugzilla.opensuse.org/show_bug.cgi?id=912018
https://bugzilla.opensuse.org/show_bug.cgi?id=912292
https://bugzilla.opensuse.org/show_bug.cgi?id=912293
https://bugzilla.opensuse.org/show_bug.cgi?id=912294
https://bugzilla.opensuse.org/show_bug.cgi?id=912296

Solution :

Update the affected openssl packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 80991 ()

Bugtraq ID:

CVE ID: CVE-2014-3569
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8275
CVE-2015-0204
CVE-2015-0205
CVE-2015-0206

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now