Security update for compat-openssl098 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:1608-1 Final 1 1 2019-06-21T08:27:12Z current 2019-06-21T08:27:12Z 2019-06-21T08:27:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for compat-openssl098 This update for compat-openssl098 fixes the following issues: - CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080) - Reject invalid EC point coordinates (bsc#1131291) - Fixed "The 9 Lives of Bleichenbacher's CAT: Cache ATtacks on TLS Implementations" (bsc#1117951) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution for Non-Commercial usage (CC-BY-NC-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution for Non-Commercial usage (CC-BY-NC-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20191608-1/ Link for SUSE-SU-2019:1608-1 http://lists.suse.com/pipermail/sle-security-updates/2019-June/005602.html E-Mail link for SUSE-SU-2019:1608-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 compat-openssl098-0.9.8j-106.12.1 libopenssl0_9_8-0.9.8j-106.12.1 libopenssl0_9_8-32bit-0.9.8j-106.12.1 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Module for Legacy Software 12 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Module for Legacy Software 12 libopenssl0_9_8-32bit-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Module for Legacy Software 12 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 compat-openssl098-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libopenssl0_9_8-0.9.8j-106.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVE-2019-1559 SUSE Linux Enterprise Desktop 12 SP3:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Desktop 12 SP3:libopenssl0_9_8-0.9.8j-106.12.1 SUSE Linux Enterprise Desktop 12 SP4:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Desktop 12 SP4:libopenssl0_9_8-0.9.8j-106.12.1 SUSE Linux Enterprise Module for Legacy Software 12:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Module for Legacy Software 12:libopenssl0_9_8-0.9.8j-106.12.1 SUSE Linux Enterprise Module for Legacy Software 12:libopenssl0_9_8-32bit-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libopenssl0_9_8-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:compat-openssl098-0.9.8j-106.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.12.1 moderate Please Install the update. https://www.suse.com/support/update/announcement/2019/suse-su-20191608-1/ https://www.suse.com/security/cve/CVE-2019-1559.html CVE-2019-1559 https://bugzilla.suse.com/1127080 SUSE Bug 1127080 https://bugzilla.suse.com/1130039 SUSE Bug 1130039 https://bugzilla.suse.com/1141798 SUSE Bug 1141798