Overview

File _patchinfo of Package patchinfo.8655

<patchinfo incident="8655">
  <issue tracker="bnc" id="1086778">VUL-0: CVE-2018-8970: libressl: The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c inLibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zeroname length, which causes silent omission of hostname verification</issue>
  <issue tracker="bnc" id="1097779">VUL-0: CVE-2018-12434: LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channelattack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problemor ROHNP. To discover a key, the attacker needs access to</issue>
  <issue tracker="bnc" id="1065363">VUL-1: openssl, libressl: out of bounds read+crash in DES_fcrypt</issue>
  <issue tracker="cve" id="2018-12434"/>
  <issue tracker="cve" id="2018-8970"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>jengelh</packager>
  <description>This update for libressl to version 2.8.0 fixes the following issues:

Security issues fixed:

- CVE-2018-12434: Avoid a timing side-channel leak when generating DSA and
  ECDSA signatures. (boo#1097779)
- Reject excessively large primes in DH key generation.
- CVE-2018-8970: Fixed a bug in int_x509_param_set_hosts, calling strlen() if
  name length provided is 0 to match the OpenSSL behaviour. (boo#1086778)
- Fixed an out-of-bounds read and crash in DES-fcrypt (boo#1065363)

You can find a detailed list of changes [here](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.0-relnotes.txt).
  </description>
  <summary>Security update for libressl</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places