openSUSE Security Update : openssl-steam (openSUSE-2018-168)

high Nessus Plugin ID 106863
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9


The remote openSUSE host is missing a security update.


This update for openssl-steam fixes the following issues :

- Merged changes from upstream openssl (Factory rev 137) into this fork for Steam.

Updated to openssl 1.0.2k :

- CVE-2016-7055: Montgomery multiplication may produce incorrect results (boo#1009528)

- CVE-2016-7056: ECSDA P-256 timing attack key recovery (boo#1019334)

- CVE-2017-3731: Truncated packet could crash via OOB read (boo#1022085)

- CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (boo#1022086)

Update to openssl-1.0.2j :

- CVE-2016-7052: Missing CRL sanity check (boo#1001148)

OpenSSL Security Advisory [22 Sep 2016] (boo#999665)

- Severity: High

- CVE-2016-6304: OCSP Status Request extension unbounded memory growth (boo#999666)

- Severity: Low

- CVE-2016-2177: Pointer arithmetic undefined behaviour (boo#982575)

- CVE-2016-2178: Constant time flag not preserved in DSA signing (boo#983249)

- CVE-2016-2179: DTLS buffered message DoS (boo#994844)

- CVE-2016-2180: OOB read in TS_OBJ_print_bio() (boo#990419)

- CVE-2016-2181: DTLS replay protection DoS (boo#994749)

- CVE-2016-2182: OOB write in BN_bn2dec() (boo#993819)

- CVE-2016-2183: Birthday attack against 64-bit block ciphers (SWEET32) (boo#995359)

- CVE-2016-6302: Malformed SHA512 ticket DoS (boo#995324)

- CVE-2016-6303: OOB write in MDC2_Update() (boo#995377)

- CVE-2016-6306: Certificate message OOB reads (boo#999668)

ALso fixed :

- fixed a crash in print_notice (boo#998190)

- fix X509_CERT_FILE path (boo#1022271) and rename

- resume reading from /dev/urandom when interrupted by a signal (boo#995075)

- fix problems with locking in FIPS mode (boo#992120)

- duplicates: boo#991877, boo#991193, boo#990392, boo#990428 and boo#990207

- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream) (boo#984323)

- don't check for /etc/system-fips (boo#982268)


Update the affected openssl-steam packages.

See Also

Plugin Details

Severity: High

ID: 106863

File Name: openSUSE-2018-168.nasl

Version: 3.3

Type: local

Agent: unix

Published: 2/16/2018

Updated: 1/19/2021

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam, p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam-32bit, p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam-debuginfo, p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam-debuginfo-32bit, p-cpe:/a:novell:opensuse:openssl-steam-debugsource, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2/16/2018

Reference Information

CVE: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306, CVE-2016-7052, CVE-2016-7055, CVE-2016-7056, CVE-2017-3731, CVE-2017-3732