OpenSSL Security Advisory (05 June 2014) and Open Enterprise Server 11 SP1.

  • 7015264
  • 23-Jun-2014
  • 01-Jul-2014

Environment

SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
Novell Open Enterprise Server 11 Linux Support Pack 1 (OES 11 SP1)

Situation

SUSE Linux Enterprise Server 11 SP2 General support has ended on 31 Jan 2014.
Novell Open Enterprise Server 11 SP1 General support ends on 29 Jan 2015.

On 05 June 2014, a OpenSSL Security Advisory was published, detailing a set of OpenSSL related vulnerabilities for which customers are advised to upgrade.
Due to the current support status for Novell Open Enterprise Server 11 SP1, the Novell and SUSE teams have closely collaborated to make these fix available for Novell OES11 SP1 customers.

Resolution

The oes11sp1-openssl-9354 patch containing mentioned fixes for OpenSSL on SLES 11 SP2  is released through the public OES11 SP1 patch repositories on June 23, 2014.


The following security issues were fixed with this patch (bnc#880891) :

- SSL/TLS MITM vulnerability (CVE-2014-0224)
- DTLS recursion flaw (CVE-2014-0221)
- Anonymous ECDH denial of service (CVE-2014-3470)
- Using the FLUSH+RELOAD Cache Side-channel Attack the nonces could have been recovered (CVE-2014-0076)

Other issues which are also fixed in this release :

- Ensures that the stack is marked non-executable on x86 32bit. On other processor platforms it was already marked as non-executable before (bnc#870192).
- IPv6 support was added to the openssl s_client and s_server command line tool (bnc#859228).
- The openssl command line tool now checks certificates by default against /etc/ssl/certs (this can be changed via the -CApath option) (bnc#860332).
- The Elliptic Curve Diffie-Hellman key exchange selector was enabled and can be selected by kECDHE, kECDH, ECDH tags in the SSL cipher string (bnc#859924).
- If an optional openssl1 command line tool is installed in parallel, c_rehash uses it to generate certificate hashes in both OpenSSL 0 and OpenSSL 1 style. This allows parallel usage of OpenSSL 0.9.8j and OpenSSL 1.x client libraries with a shared certificate store (bnc#862181).

Link to the OpenSSL advisory for the latest details : http://www.openssl.org/news/secadv_20140605.txt

Cause

Multiple OpenSSL related security vulnerabilities.