Hi, please see below. I'd like to add that openSUSE 13.1 still had SSLv2 enabled. Therefore I'm planning to do the same for 13.1 as described here for SLES and Leap 42.1.
The patch is currently building for 13.1. I'm not sure what to do for 11.4. 11.4 is currently on 1.0.1p and probably it's totally acceptable to update it to 1.0.1s? Anyone up for taking care? Wolfgang -------- Weitergeleitete Nachricht -------- Betreff: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed" Datum: Tue, 1 Mar 2016 15:13:55 +0100 Von: Marcus Meissner <meiss...@suse.de> Organisation: SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) An: opensuse-security-annou...@opensuse.org Hi, The openssl team is just releasing security updates fixing various issues in openssl. The most relevant issue is called "DROWN", http://drownattack.com/ , CVE-2016-0800 Basically the SSLv2 protocol, especially when used with weak (EXPORT) ciphers is vulnerable to technically feasible Man-in-the-Middle Attacks. There is no choice but to switch SSLv2 and also EXPORT ciphers now off by default. For SLES (and also Leap 42.1) we are taking this step, but you can override this for very old legacy software using environment variables. Set the environment variables: OPENSSL_ALLOW_SSL2 for allowing sslv2 again OPENSSL_ALLOW_EXPORT for allowing EXPORT ciphers again Online updates for SUSE Linux Enterprise are currently being released and a TID for SUSE Linux Enterprise will be published at https://www.suse.com/support/kb/doc.php?id=7017297 openSUSE 13.2 and openSUSE Tumbleweed already ship built with "no-ssl2" configure option, so do not feature SSLv2 anymore at all. openSUSE Leap 42.1 will get an update imported from SLES 12 SP1 today. There is a secondary issue called "CacheBleed", which however requires attackers to operate on the same CPU in the same HyperThread making this attack less likely. ( http://ssrg.nicta.com.au/projects/TS/cachebleed// ) Other security issues with lesser impact are also fixed in this update round, but not specifically mentioned in this email. Ciao, Marcus
Description: OpenPGP digital signature
_______________________________________________ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen