OpenSSL Security Advisory (05 June 2014) and Open Enterprise Server 2 SP3.

  • 7015300
  • 01-Jul-2014
  • 01-Jul-2014

Environment

SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)
Novell Open Enterprise Server 2 Linux Support Pack 3 (OES 2 SP3)

Situation

SUSE Linux Enterprise Server 10 SP4 General support has ended on 31 July 2013.
Novell Open Enterprise Server 2 SP3 General support has ended on  31 July 2013.

On 05 June 2014, a OpenSSL Security Advisory was published, detailing a set of OpenSSL related vulnerabilities for which customers are advised to upgrade.
Due to the current extended support status for Novell Open Enterprise Server 2 SP3, the Novell and SUSE teams have closely collaborated to make these fix available for Novell OES2 SP3 customers.

Resolution

The oes2p3-openssl-8895 patch containing mentioned fixes for OpenSSL on SLES 10 SP4 is released through the public OES2 SP3 patch repositories on June 25, 2014.


The following security issues were fixed with this patch (bnc#880891) :

- SSL/TLS MITM vulnerability (CVE-2014-0224)
- DTLS recursion flaw (CVE-2014-0221)
- Anonymous ECDH denial of service (CVE-2014-3470)
- Using the FLUSH+RELOAD Cache Side-channel Attack the nonces could have been recovered (CVE-2014-0076)

Other issues which are also fixed in this release :

- Ensures that the stack is marked non-executable on x86 32bit. On other processor platforms it was already marked as non-executable before (bnc#870192).
- IPv6 support was added to the openssl s_client and s_server command line tool (bnc#859228).
- The openssl command line tool now checks certificates by default against /etc/ssl/certs (this can be changed via the -CApath option) (bnc#860332).
- The Elliptic Curve Diffie-Hellman key exchange selector was enabled and can be selected by kECDHE, kECDH, ECDH tags in the SSL cipher string (bnc#859924).
- If an optional openssl1 command line tool is installed in parallel, c_rehash uses it to generate certificate hashes in both OpenSSL 0 and OpenSSL 1 style. This allows parallel usage of OpenSSL 0.9.8j and OpenSSL 1.x client libraries with a shared certificate store (bnc#862181).

Link to the OpenSSL advisory for the latest details : http://www.openssl.org/news/secadv_20140605.txt

Cause

Multiple OpenSSL related security vulnerabilities.