Hi,

The openssl team is just releasing security updates fixing various issues in openssl.

The most relevant issue is called “DROWN”, http://drownattack.com/ , CVE-2016-0800

Basically the SSLv2 protocol, especially when used with weak (EXPORT) ciphers is vulnerable to
technically feasible Man-in-the-Middle Attacks.

There is no choice but to switch SSLv2 and also EXPORT ciphers now off by default.

For SLES (and also Leap 42.1) we are taking this step, but you can override this for very old
legacy software using environment variables.

Set the environment variables:
OPENSSL_ALLOW_SSL2 for allowing sslv2 again
OPENSSL_ALLOW_EXPORT for allowing EXPORT ciphers again

Online updates for SUSE Linux Enterprise are currently being
released and a TID for SUSE Linux Enterprise will be published at
https://www.suse.com/support/kb/doc.php?id=7017297

openSUSE 13.2 and openSUSE Tumbleweed already ship built with “no-ssl2”
configure option, so do not feature SSLv2 anymore at all.

openSUSE Leap 42.1 will get an update imported from SLES 12 SP1 today.

There is a secondary issue called “CacheBleed”, which however requires
attackers to operate on the same CPU in the same HyperThread making this
attack less likely. ( http://ssrg.nicta.com.au/projects/TS/cachebleed// )

Other security issues with lesser impact are also fixed in this update
round, but not specifically mentioned in this email.

Ciao, Marcus
—–BEGIN PGP SIGNATURE—–

iQIcBAEBCgAGBQJW1aOgAAoJEFj8WLExfNUC6XMP/1CRPuPmpONdTEkkQn632qz+
WAJDNQjpea0s3tle8IAvH7/H93fX/oc4k0xQq9We2xa+89fq3VoxEcUVVOyJrYV/
x1Com1nkyUTQW04cpLfWTZkPwQIMC6PZfNwLuYyKDX5zjLHsStxLDs9g2OYnA+MK
z38vsX/Lg4qVELsNakzwcMTuZpDBRXh5Ccj2VUINUMHHdd9tC7RnoaOjl9jiKjl1
Sz68xLuAoQemYvHEPWkgv1mnJvHIoh6jh6J17RsSaTFXjWEL9Lh01pKbRnOzITRi
cEBnwIGz7sQUXvgEgaTYIJoIoiJxA4aqGnSM0UeSljGTpV54667+18X81HFisx8x
OncWHrznIsBTWkYHUDiar0fJDf3JtctD+Eiv7OZoF/Kc3r9i3DbRCWBJwy1iLPIy
gSksfQI6Ozy7W9DaSAQHPg/2NRuSz60XvirNF7+4s3/ZN3pAqIc+D6VGXPtpES5S
Wmq5csumSP9imNGZKi2HePdx6UQhK8be5NjHL0oSJYk5YurcFr+8nAT3tajt6R7v
6uSES3iat7i+egY4vXN3EUZJVv31jauAjQGy7H4iRxnTQgDlJyd/mIhX1AGYTvpf
2B0Lr81XCidRH8JK/6huPLPu6UM0HaArZj9LdarbNTpOd/R2nf09xl9AsZCVm4HN
ZnM6etAiBN4WyyRPvfzP
=hgaj
—–END PGP SIGNATURE—–