openSUSE Security Update : libressl (openSUSE-2017-561)
Low Nessus Plugin ID 100043
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThis update for libressl to version 2.5.1 fixes the following issues :
These security issues were fixed :
- CVE-2016-0702: Prevent side channel attack on modular exponentiation (boo#968050).
- CVE-2016-7056: Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing (boo#1019334).
These non-security issues were fixed :
- Detect zero-length encrypted session data early
- Curve25519 Key Exchange support.
- Support for alternate chains for certificate verification.
- Added EVP interface for MD5+SHA1 hashes
- Fixed DTLS client failures when the server sends a certificate request.
- Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection.
- Allowed protocols and ciphers to be set on a TLS config object in libtls.
For additional changes please refer to the changelog.
SolutionUpdate the affected libressl packages.