openSSL DoS vulnerability - CVE-2015-0291 & CVE-2015-0204

In case people saw this in the ‘news’ and don’t know how it affects openSUSE, it doesn’t (at least not very much):

OpenSSL warns of two high-severity bugs, but no Heartbleed

Security mavens bracing for Thursday’s scheduled disclosure of a high-severity vulnerability in the widely used OpenSSL crypto library need wait no longer. It’s a bug that allows end users to crash servers running one version of the software by sending data that’s relatively easy to duplicate.

“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur,” an advisory published Thursday morning stated. “This can be exploited in a DoS attack against the server.”

CVE-2015-0291, as the vulnerability is indexed, struck many people as anticlimactic, given Monday’s advisory that a “high” severity bug would be announced. That triggered concerns of a critical bug along the lines of the highly critical Heartbleed vulnerability that attackers used to extract passwords, private keys, and other confidential data from servers used for banking, shopping, and e-mail. By comparison, Thursday’s DoS bug can be used only to force a vulnerable server to reboot.

The vulnerability was widely discussed earlier this week in social media threads such as this one. It was discovered by David Ramos of Stanford University, who agreed to withhold publishing proof-of-concept code that exploits the bug until server administrators have had time to patch the security hole. Based on today’s description of the bug, however, it likely won’t be hard for other people to independently develop exploits.


Hi folks,

The OpenSSL team has just announced a new round of security releases.

Foremost: Do Not Panic.

While the advisory lists 12 fixes, only 2 of them are rated “High”.

The first fix rarted"High", CVE-2015-0291, affects only openssl 1.0.2,
which we have not yet included in any of our codestreams or products,
making us not affected.

The second fix rated “High”, CVE-2015-0204, is a changed rating for an
already fixed security vulnerability. We have released fixes for this
in January 2015:

All other new issues disclosed today are rated “Moderate” and “Low”
by the OpenSSL team.

We are currently releasing the first updates and wrapping up QA on
the the others, so you will get fixed packages today (in some hours)
or tomorrow.

Ciao, Marcus


So all in all, pretty trivial. Fixes rolling out for the small Low / Medium issues later on it seems.


Thanks for that info.