Security update for libressl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:2318-1 Final 1 1 2015-12-18T19:50:49Z current 2015-12-18T19:50:49Z 2015-12-18T19:50:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libressl LibreSSL was updated to fix two security issues inherited from OpenSSL. The following vulnerabilities were fixed: * CVE-2015-3194: NULL pointer dereference in client side certificate validation * CVE-2015-3195: Memory leak in PKCS7 - not reachable from TLS/SSL The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-12/msg00087.html E-Mail link for openSUSE-SU-2015:2318-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libcrypto36-2.3.0-7.1 libcrypto36-32bit-2.3.0-7.1 libressl-2.3.0-7.1 libressl-devel-2.3.0-7.1 libressl-devel-32bit-2.3.0-7.1 libressl-devel-doc-2.3.0-7.1 libssl37-2.3.0-7.1 libssl37-32bit-2.3.0-7.1 libtls9-2.3.0-7.1 libtls9-32bit-2.3.0-7.1 libcrypto36-2.3.0-7.1 as a component of openSUSE Leap 42.1 libcrypto36-32bit-2.3.0-7.1 as a component of openSUSE Leap 42.1 libressl-2.3.0-7.1 as a component of openSUSE Leap 42.1 libressl-devel-2.3.0-7.1 as a component of openSUSE Leap 42.1 libressl-devel-32bit-2.3.0-7.1 as a component of openSUSE Leap 42.1 libressl-devel-doc-2.3.0-7.1 as a component of openSUSE Leap 42.1 libssl37-2.3.0-7.1 as a component of openSUSE Leap 42.1 libssl37-32bit-2.3.0-7.1 as a component of openSUSE Leap 42.1 libtls9-2.3.0-7.1 as a component of openSUSE Leap 42.1 libtls9-32bit-2.3.0-7.1 as a component of openSUSE Leap 42.1 crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. CVE-2015-3194 openSUSE Leap 42.1:libcrypto36-2.3.0-7.1 openSUSE Leap 42.1:libcrypto36-32bit-2.3.0-7.1 openSUSE Leap 42.1:libressl-2.3.0-7.1 openSUSE Leap 42.1:libressl-devel-2.3.0-7.1 openSUSE Leap 42.1:libressl-devel-32bit-2.3.0-7.1 openSUSE Leap 42.1:libressl-devel-doc-2.3.0-7.1 openSUSE Leap 42.1:libssl37-2.3.0-7.1 openSUSE Leap 42.1:libssl37-32bit-2.3.0-7.1 openSUSE Leap 42.1:libtls9-2.3.0-7.1 openSUSE Leap 42.1:libtls9-32bit-2.3.0-7.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-12/msg00087.html https://www.suse.com/security/cve/CVE-2015-3194.html CVE-2015-3194 https://bugzilla.suse.com/957812 SUSE Bug 957812 https://bugzilla.suse.com/957815 SUSE Bug 957815 https://bugzilla.suse.com/958768 SUSE Bug 958768 https://bugzilla.suse.com/976341 SUSE Bug 976341 https://bugzilla.suse.com/990370 SUSE Bug 990370 The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. CVE-2015-3195 openSUSE Leap 42.1:libcrypto36-2.3.0-7.1 openSUSE Leap 42.1:libcrypto36-32bit-2.3.0-7.1 openSUSE Leap 42.1:libressl-2.3.0-7.1 openSUSE Leap 42.1:libressl-devel-2.3.0-7.1 openSUSE Leap 42.1:libressl-devel-32bit-2.3.0-7.1 openSUSE Leap 42.1:libressl-devel-doc-2.3.0-7.1 openSUSE Leap 42.1:libssl37-2.3.0-7.1 openSUSE Leap 42.1:libssl37-32bit-2.3.0-7.1 openSUSE Leap 42.1:libtls9-2.3.0-7.1 openSUSE Leap 42.1:libtls9-32bit-2.3.0-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-12/msg00087.html https://www.suse.com/security/cve/CVE-2015-3195.html CVE-2015-3195 https://bugzilla.suse.com/923755 SUSE Bug 923755 https://bugzilla.suse.com/957812 SUSE Bug 957812 https://bugzilla.suse.com/957815 SUSE Bug 957815 https://bugzilla.suse.com/958768 SUSE Bug 958768 https://bugzilla.suse.com/963977 SUSE Bug 963977 https://bugzilla.suse.com/986238 SUSE Bug 986238