openSUSE Security Update : openssl-steam (openSUSE-2018-168)

critical Nessus Plugin ID 106863
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for openssl-steam fixes the following issues :

- Merged changes from upstream openssl (Factory rev 137) into this fork for Steam.

Updated to openssl 1.0.2k :

- CVE-2016-7055: Montgomery multiplication may produce incorrect results (boo#1009528)

- CVE-2016-7056: ECSDA P-256 timing attack key recovery (boo#1019334)

- CVE-2017-3731: Truncated packet could crash via OOB read (boo#1022085)

- CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (boo#1022086)

Update to openssl-1.0.2j :

- CVE-2016-7052: Missing CRL sanity check (boo#1001148)

OpenSSL Security Advisory [22 Sep 2016] (boo#999665)

- Severity: High

- CVE-2016-6304: OCSP Status Request extension unbounded memory growth (boo#999666)

- Severity: Low

- CVE-2016-2177: Pointer arithmetic undefined behaviour (boo#982575)

- CVE-2016-2178: Constant time flag not preserved in DSA signing (boo#983249)

- CVE-2016-2179: DTLS buffered message DoS (boo#994844)

- CVE-2016-2180: OOB read in TS_OBJ_print_bio() (boo#990419)

- CVE-2016-2181: DTLS replay protection DoS (boo#994749)

- CVE-2016-2182: OOB write in BN_bn2dec() (boo#993819)

- CVE-2016-2183: Birthday attack against 64-bit block ciphers (SWEET32) (boo#995359)

- CVE-2016-6302: Malformed SHA512 ticket DoS (boo#995324)

- CVE-2016-6303: OOB write in MDC2_Update() (boo#995377)

- CVE-2016-6306: Certificate message OOB reads (boo#999668)

ALso fixed :

- fixed a crash in print_notice (boo#998190)

- fix X509_CERT_FILE path (boo#1022271) and rename

- resume reading from /dev/urandom when interrupted by a signal (boo#995075)

- fix problems with locking in FIPS mode (boo#992120)

- duplicates: boo#991877, boo#991193, boo#990392, boo#990428 and boo#990207

- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream) (boo#984323)

- don't check for /etc/system-fips (boo#982268)

Solution

Update the affected openssl-steam packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1001148

https://bugzilla.opensuse.org/show_bug.cgi?id=1009528

https://bugzilla.opensuse.org/show_bug.cgi?id=1019334

https://bugzilla.opensuse.org/show_bug.cgi?id=1022085

https://bugzilla.opensuse.org/show_bug.cgi?id=1022086

https://bugzilla.opensuse.org/show_bug.cgi?id=1022271

https://bugzilla.opensuse.org/show_bug.cgi?id=982268

https://bugzilla.opensuse.org/show_bug.cgi?id=982575

https://bugzilla.opensuse.org/show_bug.cgi?id=983249

https://bugzilla.opensuse.org/show_bug.cgi?id=984323

https://bugzilla.opensuse.org/show_bug.cgi?id=990207

https://bugzilla.opensuse.org/show_bug.cgi?id=990392

https://bugzilla.opensuse.org/show_bug.cgi?id=990419

https://bugzilla.opensuse.org/show_bug.cgi?id=990428

https://bugzilla.opensuse.org/show_bug.cgi?id=991193

https://bugzilla.opensuse.org/show_bug.cgi?id=991877

https://bugzilla.opensuse.org/show_bug.cgi?id=992120

https://bugzilla.opensuse.org/show_bug.cgi?id=993819

https://bugzilla.opensuse.org/show_bug.cgi?id=994749

https://bugzilla.opensuse.org/show_bug.cgi?id=994844

https://bugzilla.opensuse.org/show_bug.cgi?id=995075

https://bugzilla.opensuse.org/show_bug.cgi?id=995324

https://bugzilla.opensuse.org/show_bug.cgi?id=995359

https://bugzilla.opensuse.org/show_bug.cgi?id=995377

https://bugzilla.opensuse.org/show_bug.cgi?id=998190

https://bugzilla.opensuse.org/show_bug.cgi?id=999665

https://bugzilla.opensuse.org/show_bug.cgi?id=999666

https://bugzilla.opensuse.org/show_bug.cgi?id=999668

Plugin Details

Severity: Critical

ID: 106863

File Name: openSUSE-2018-168.nasl

Version: 3.3

Type: local

Agent: unix

Published: 2/16/2018

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam, p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam-32bit, p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam-debuginfo, p-cpe:/a:novell:opensuse:libopenssl1_0_0-steam-debuginfo-32bit, p-cpe:/a:novell:opensuse:openssl-steam-debugsource, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2/16/2018

Reference Information

CVE: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306, CVE-2016-7052, CVE-2016-7055, CVE-2016-7056, CVE-2017-3731, CVE-2017-3732