SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
This OpenSSL update fixes the following issues:
* Session Ticket Memory Leak (CVE-2014-3567)
* Build option no-ssl3 is incomplete (CVE-2014-3568)
* Add support for TLS_FALLBACK_SCSV to mitigate CVE-2014-3566 (POODLE)
Re: AW: [security-announce] SUSE-SU-2014:1361-1: important: Security update for OpenSSL
On Thu, Nov 06, 2014 at 06:51:00AM +0000, [hidden email] wrote:
> When I asked you, if we would need the poodle workaround any longer after installing this patch, you answerd: yes, because the patch was only for a special product.
> Now, what about this patch: it seemed to me, that it includes the poodle leak. Do we - after installing it - still need the workaround as described here:
It includes measures that can be used by applications to mitigate the
issue. You still need to use the workarounds.
Johannes Segitz SUSE Security Team
GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
SUSE LINUX GmbH Maxfeldstraße 5 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg)
nothing special here, yesterday we talked about openssl1 and the advisory mentioned below is an openssl 0.9 update for SLE11 which also contains the new SCSV feature. With this feature an application that uses it can detect downgrade attacks.
Still, your services should be configured to only use TLS.