SUSE Security Update: Security update for gnutls ______________________________________________________________________________
Announcement ID: SUSE-SU-2018:2930-1 Rating: moderate References: #1047002 #1105437 #1105459 #1105460 Cross-References: CVE-2017-10790 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for gnutls fixes the following security issues:
- Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Desktop Applications 15:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2070=1
- SUSE Linux Enterprise Module for Basesystem 15:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2070=1
Package List:
- SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64):