Security update for openssl-1_0_0
This update for openssl-1_0_0 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Added elliptic curve scalar multiplication timing attack defenses that fixes "PortSmash" (bsc#1113534).
Non-security issues fixed:
- Added missing timing side channel patch for DSA signature generation (bsc#1113742).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).
- Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209)
This update was imported from the SUSE:SLE-15:Update update project.
-
Submitted by
Vítězslav Čížek (vitezslav_cizek)
Fixed bugs
bnc#1100078
curl on SLES12 shows some SSL errors we did not see on SLES11
bnc#1113534
VUL-0: CVE-2018-5407: Hyperthread port content side channel aka "PortSmash"
bnc#1113742
VUL-1: openssl: missing timing side channel patch for DSA signature generation
bnc#1113652
VUL-1: CVE-2018-0734: openssl,openssl1,openssl-1_1,openssl-1_0_0,compat-openssl098: Timing vulnerability in DSA signature generation
bnc#1112209
openssl-1_1 - hangs generating DSA key
