openSUSE Security Update : openssl (openSUSE-2016-1130)

High Nessus Plugin ID 93756

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for openssl fixes the following issues :

OpenSSL Security Advisory [22 Sep 2016] (boo#999665)

Severity: High

- OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (boo#999666)

Severity: Low

- Pointer arithmetic undefined behaviour (CVE-2016-2177) (boo#982575)

- Constant time flag not preserved in DSA signing (CVE-2016-2178) (boo#983249)

- DTLS buffered message DoS (CVE-2016-2179) (boo#994844)

- OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (boo#990419)

- DTLS replay protection DoS (CVE-2016-2181) (boo#994749)

- OOB write in BN_bn2dec() (CVE-2016-2182) (boo#993819)

- Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (boo#995359)

- Malformed SHA512 ticket DoS (CVE-2016-6302) (boo#995324)

- OOB write in MDC2_Update() (CVE-2016-6303) (boo#995377)

- Certificate message OOB reads (CVE-2016-6306) (boo#999668)

More information can be found on https://www.openssl.org/news/secadv/20160922.txt

- update expired S/MIME certs (boo#979475)

- allow >= 64GB AESGCM transfers (boo#988591)

- fix crash in print_notice (boo#998190)

- resume reading from /dev/urandom when interrupted by a signal (boo#995075)

Solution

Update the affected openssl packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=979475

https://bugzilla.opensuse.org/show_bug.cgi?id=982575

https://bugzilla.opensuse.org/show_bug.cgi?id=983249

https://bugzilla.opensuse.org/show_bug.cgi?id=988591

https://bugzilla.opensuse.org/show_bug.cgi?id=990419

https://bugzilla.opensuse.org/show_bug.cgi?id=993819

https://bugzilla.opensuse.org/show_bug.cgi?id=994749

https://bugzilla.opensuse.org/show_bug.cgi?id=994844

https://bugzilla.opensuse.org/show_bug.cgi?id=995075

https://bugzilla.opensuse.org/show_bug.cgi?id=995324

https://bugzilla.opensuse.org/show_bug.cgi?id=995359

https://bugzilla.opensuse.org/show_bug.cgi?id=995377

https://bugzilla.opensuse.org/show_bug.cgi?id=998190

https://bugzilla.opensuse.org/show_bug.cgi?id=999665

https://bugzilla.opensuse.org/show_bug.cgi?id=999666

https://bugzilla.opensuse.org/show_bug.cgi?id=999668

https://www.openssl.org/news/secadv/20160922.txt

Plugin Details

Severity: High

ID: 93756

File Name: openSUSE-2016-1130.nasl

Version: 2.5

Type: local

Agent: unix

Published: 2016/09/28

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libopenssl-devel, p-cpe:/a:novell:opensuse:libopenssl-devel-32bit, p-cpe:/a:novell:opensuse:libopenssl1_0_0, p-cpe:/a:novell:opensuse:libopenssl1_0_0-32bit, p-cpe:/a:novell:opensuse:libopenssl1_0_0-debuginfo, p-cpe:/a:novell:opensuse:libopenssl1_0_0-debuginfo-32bit, p-cpe:/a:novell:opensuse:libopenssl1_0_0-hmac, p-cpe:/a:novell:opensuse:libopenssl1_0_0-hmac-32bit, p-cpe:/a:novell:opensuse:openssl, p-cpe:/a:novell:opensuse:openssl-debuginfo, p-cpe:/a:novell:opensuse:openssl-debugsource, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2016/09/27

Reference Information

CVE: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306