Hi,

please see below. I'd like to add that openSUSE 13.1 still had SSLv2
enabled. Therefore I'm planning to do the same for 13.1 as described
here for SLES and Leap 42.1.

The patch is currently building for 13.1.

I'm not sure what to do for 11.4. 11.4 is currently on 1.0.1p and
probably it's totally acceptable to update it to 1.0.1s?

Anyone up for taking care?


Wolfgang

-------- Weitergeleitete Nachricht --------
Betreff: [security-announce] Todays openssl release - "DROWN"
CVE-2016-0800 and "Cachebleed"
Datum: Tue, 1 Mar 2016 15:13:55 +0100
Von: Marcus Meissner <meiss...@suse.de>
Organisation: SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard,
Graham Norton, HRB 21284 (AG N├╝rnberg)
An: opensuse-security-annou...@opensuse.org

Hi,

The openssl team is just releasing security updates fixing various
issues in openssl.

The most relevant issue is called "DROWN", http://drownattack.com/ ,
CVE-2016-0800

Basically the SSLv2 protocol, especially when used with weak (EXPORT)
ciphers is vulnerable to
technically feasible Man-in-the-Middle Attacks.

There is no choice but to switch SSLv2 and also EXPORT ciphers now off
by default.

For SLES (and also Leap 42.1) we are taking this step, but you can
override this for very old
legacy software using environment variables.

Set the environment variables:
        OPENSSL_ALLOW_SSL2      for allowing sslv2 again
        OPENSSL_ALLOW_EXPORT    for allowing EXPORT ciphers again

Online updates for SUSE Linux Enterprise are currently being
released and a TID for SUSE Linux Enterprise will be published at
https://www.suse.com/support/kb/doc.php?id=7017297


openSUSE 13.2 and openSUSE Tumbleweed already ship built with "no-ssl2"
configure option, so do not feature SSLv2 anymore at all.

openSUSE Leap 42.1 will get an update imported from SLES 12 SP1 today.

There is a secondary issue called "CacheBleed", which however requires
attackers to operate on the same CPU in the same HyperThread making this
attack less likely. ( http://ssrg.nicta.com.au/projects/TS/cachebleed// )

Other security issues with lesser impact are also fixed in this update
round, but not specifically mentioned in this email.

Ciao, Marcus




Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to