drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe von Informationen in OpenSSL
Name: |
Preisgabe von Informationen in OpenSSL |
|
ID: |
SUSE-SA:2014:002 |
|
Distribution: |
SUSE |
|
Plattformen: |
openSUSE 12.3, openSUSE 13.1 |
|
Datum: |
Di, 8. April 2014, 22:37 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |
|
Applikationen: |
OpenSSL |
|
Originalnachricht |
--lEGEL1/lMxI0MVQ2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
______________________________________________________________________________
SUSE Security Announcement
Package: openssl Announcement-ID: SUSE-SA:2014:002 Date: Tuesday, Apr 8 17:00:00 CET 2014 Affected products: openSUSE 12.3 openSUSE 13.1 Vulnerability Type: remote memory disclosure Rating: critical SUSE default package: yes Cross References: CVE-2014-0160
Content of this advisory: 1) security vulnerability resolved: - remote memory disclosure in openssl problem description 2) affected products 3) solution/workaround 4) special instructions and notes
______________________________________________________________________________
1) problem description, brief discussion
An issue with critical severity in the openssl 1.0.1 library has been identified, under the code name "HeartBleed" (CVE-2014-0160).
In openssl 1.0.1 up to and including 1.0.1f, the TLS "Heartbeat" extension could be used to disclose memory of the process handling the SSL/TLS connection in a easily exploitable way.
The disclosed memory can include and according to reports did include: - secret key material (for SSL certificates) - passwords and other authentication credentials (e.g. http cookies) - other sensitive data transferred over SSL
This problem affected only openSUSE 12.3 and 13.1, which include openssl 1.0.1e.
We have released updates for openSUSE 12.3 and 13.1, see the associated automated update notice for package details:
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html
For further reading: http://heartbleed.com/
2) affected products
openSUSE 12.3 and 13.1 are affected by this problem.
SUSE Linux Enterprise 11 and older products currently include openssl 0.9.8j or older versions, which do not include the TLS Heartbeat extension and thus are not affected by this problem.
3) solution/workaround
There is no workaround, please install the supplied updates.
4) special instructions and notes
After installing the updates, we strongly advise you to:
- Get new SSL certificates for the affected services.
- If your SSL service handled password authentication we recommend to initiate password changes ASAP.
- Invalidate other sensitive data that may have been stored in the memory of an exposed process, such as cookies or private URLs.
--lEGEL1/lMxI0MVQ2 Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux)
iQEVAwUBU0QZz3ey5gA9JdPZAQJv3Qf+Kd3zzFnpRgz8arWo0u/zFwQKNBEHjYlN QgnZR7oNNqHecuMAbsjvO897pLOJu3F1HjLzNElfzZ+3YY9crSReryIqMhHYba1U /SYlcwFwwUMFgdPMxwNehLHLuPXNlyqQVlHl/Fc2nsYDdxh+6WGriW9hVE4k2oL3 AU07pwR8kY+LkHwejPCHeA/mB8Uw4///NrcWtAjfMoXbz+dmlrN4MJE6NoULVp2f azTxkFLlPzatuSCqjtWUBJ5tcaKUQwV8+ffbmgq8F9vC6jYHLOr5LL/ktOthapLB iaeUwbtBV/lpwa7ZnVXw/hBQQ1a536VJt9P3nvQnLAbBQxNn8xqJaA== =NwmI -----END PGP SIGNATURE-----
--lEGEL1/lMxI0MVQ2-- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
|
|
|
|