Security update for openssl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0842-1 Final 1 1 2024-03-12T07:59:38Z current 2024-03-12T07:59:38Z 2024-03-12T07:59:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl This update for openssl fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-842,SUSE-SLE-SERVER-11-SP4-LTSS-EXTREME-CORE-2024-842 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240842-1/ Link for SUSE-SU-2024:0842-1 https://lists.suse.com/pipermail/sle-security-updates/2024-March/018143.html E-Mail link for SUSE-SU-2024:0842-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219243 SUSE Bug 1219243 https://www.suse.com/security/cve/CVE-2024-0727/ SUSE CVE CVE-2024-0727 page SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE libopenssl-devel-0.9.8j-0.106.83.1 libopenssl-devel-32bit-0.9.8j-0.106.83.1 libopenssl-devel-64bit-0.9.8j-0.106.83.1 libopenssl0_9_8-0.9.8j-0.106.83.1 libopenssl0_9_8-32bit-0.9.8j-0.106.83.1 libopenssl0_9_8-64bit-0.9.8j-0.106.83.1 libopenssl0_9_8-hmac-0.9.8j-0.106.83.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.106.83.1 libopenssl0_9_8-hmac-64bit-0.9.8j-0.106.83.1 libopenssl0_9_8-hmac-x86-0.9.8j-0.106.83.1 libopenssl0_9_8-x86-0.9.8j-0.106.83.1 openssl-0.9.8j-0.106.83.1 openssl-doc-0.9.8j-0.106.83.1 libopenssl0_9_8-0.9.8j-0.106.83.1 as a component of SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE libopenssl0_9_8-32bit-0.9.8j-0.106.83.1 as a component of SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE libopenssl0_9_8-hmac-0.9.8j-0.106.83.1 as a component of SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE libopenssl0_9_8-hmac-32bit-0.9.8j-0.106.83.1 as a component of SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE openssl-0.9.8j-0.106.83.1 as a component of SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE openssl-doc-0.9.8j-0.106.83.1 as a component of SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE:libopenssl0_9_8-0.9.8j-0.106.83.1 SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE:libopenssl0_9_8-32bit-0.9.8j-0.106.83.1 SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE:libopenssl0_9_8-hmac-0.9.8j-0.106.83.1 SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE:libopenssl0_9_8-hmac-32bit-0.9.8j-0.106.83.1 SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE:openssl-0.9.8j-0.106.83.1 SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE:openssl-doc-0.9.8j-0.106.83.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240842-1/ https://www.suse.com/security/cve/CVE-2024-0727.html CVE-2024-0727 https://bugzilla.suse.com/1219243 SUSE Bug 1219243