Security update for libressl
This update for libressl to version 2.8.0 fixes the following issues:
Security issues fixed:
- CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and
ECDSA signatures. (boo#1097779)
- Reject excessively large primes in DH key generation.
- CVE-2018-8970: Fixed a bug in int_x509_param_set_hosts, calling strlen() if
name length provided is 0 to match the OpenSSL behaviour. (boo#1086778)
- Fixed an out-of-bounds read and crash in DES-fcrypt (boo#1065363)
You can find a detailed list of changes [here](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.0-relnotes.txt).
-
Submitted by
Jan Engelhardt (jengelh)
Fixed bugs
bnc#1086778
VUL-0: CVE-2018-8970: libressl: The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c inLibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zeroname length, which causes silent omission of hostname verification
bnc#1097779
VUL-0: CVE-2018-12434: LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channelattack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problemor ROHNP. To discover a key, the attacker needs access to
bnc#1065363
VUL-1: openssl, libressl: out of bounds read+crash in DES_fcrypt
