Bug 1151490

Summary: Regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL
Product: [openSUSE] openSUSE Distribution Reporter: Matej Cepl <mcepl>
Component: SecurityAssignee: Vítězslav Čížek <vcizek>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: amajer, meissner, vcizek
Version: Leap 15.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1149792    

Description Matej Cepl 2019-09-20 13:25:42 UTC
According to https://bugs.python.org/issue36263 failing test.test_hashlib.KDFTests.test_scrypt in Python 3.* (Python 2.7 is surprisingly not affected) is caused by the bug resolved in the GitHub PR https://github.com/openssl/openssl/pull/8483 and also there is a long discussion on the theme on the Fedora bug https://bugzilla.redhat.com/1688284.
Comment 6 Swamp Workflow Management 2019-10-29 14:14:55 UTC
SUSE-SU-2019:2802-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1149121,1149792,1149955,1151490,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1, python3-doc-3.6.9-3.39.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1, python3-doc-3.6.9-3.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.9-3.39.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.9-3.39.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-11-05 20:48:15 UTC
openSUSE-SU-2019:2438-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1149121,1149792,1149955,1151490,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.9-lp151.6.4.1, python3-base-3.6.9-lp151.6.4.1
Comment 8 Swamp Workflow Management 2019-11-09 17:22:38 UTC
openSUSE-SU-2019:2453-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1149121,1149792,1149955,1151490,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
openSUSE Leap 15.0 (src):    python3-3.6.9-lp150.2.14.1, python3-base-3.6.9-lp150.2.14.1
Comment 9 Vítězslav Čížek 2019-12-04 12:27:09 UTC
The bug got introduced when we backported the openSSH KDF to openssl 1.1.1 for jsc#SLE-8789. It caused problems to other packages as well (nodejs).

It's already been fixed by https://build.suse.de/request/show/204835.
Patch openssl-jsc-SLE-8789-backport_KDF.patch has been updated to include the change from commit https://github.com/openssl/openssl/commit/253d7622222166959d1a5e724434aae3fbd2537d.
Comment 11 Swamp Workflow Management 2020-01-16 14:15:34 UTC
SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-01-21 20:18:11 UTC
openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1
Comment 13 Swamp Workflow Management 2020-02-03 17:14:11 UTC
SUSE-SU-2020:0302-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1081750,1083507,1086001,1088009,1094814,1109663,1137942,1138459,1141853,1149121,1149429,1149792,1149955,1151490,1159035,1159622,709442,951166,983582
CVE References: CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.10-4.3.5, python36-base-3.6.10-4.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 OBSbugzilla Bot 2020-11-27 16:42:41 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36
Comment 21 OBSbugzilla Bot 2020-12-01 18:22:36 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36
Comment 23 OBSbugzilla Bot 2020-12-05 17:32:32 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36
Comment 24 OBSbugzilla Bot 2020-12-05 19:12:39 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36
Comment 27 OBSbugzilla Bot 2020-12-17 18:12:39 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36
Comment 28 OBSbugzilla Bot 2021-10-06 14:42:48 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36
Comment 29 OBSbugzilla Bot 2021-10-22 08:42:53 UTC
This is an autogenerated message for OBS integration:
This bug (1151490) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36