Bug 963415 (CVE-2015-3197)

Summary: VUL-1: CVE-2015-3197: openssl: SSLv2 doesn't block disabled ciphers
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: brendon.caligari, hannsj_uhl, hines.vaughan, meissner, roger.whittaker, vcizek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2015-3197:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-3197:5.8:(AV:N/AC:M/Au:N/C:P/I:P/A:N) maint:running:62484:important maint:released:sle10-sp3:62493 maint:running:62525:important maint:released:sle10-sp4:62496 maint:released:oes11-sp2:62531
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 963410    
Bug Blocks:    

Description Andreas Stieger 2016-01-25 12:30:15 UTC
Created attachment 663062 [details]
cve-2015-3197.patch

EMBARGOED via distros and private request.
CRD: 2016-01-28
Public part (pre-notification) is in bug 963410.

SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
====================================================

Severity: Low

A malicious client can negotiate SSLv2 ciphers that have been disabled on the
server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.

This issue affects OpenSSL versions 1.0.2, 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

This issue was reported to OpenSSL on 26th December 2016 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Nimrod Aviram with further
development by Viktor Dukhovni of the OpenSSL development team.
Comment 2 Swamp Workflow Management 2016-01-25 23:00:36 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-01-28 14:51:00 UTC
fix has been committed to openssl git


commit d81a1600588b726c2bdccda7efad3cc7a87d6245
Author: Viktor Dukhovni <openssl-users@dukhovni.org>
Date:   Wed Dec 30 22:44:51 2015 -0500

    Better SSLv2 cipher-suite enforcement
    
    Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
    
    CVE-2015-3197
    
    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Richard Levitte <levitte@openssl.org>
Comment 4 Bernhard Wiedemann 2016-01-28 15:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (963415) was mentioned in
https://build.opensuse.org/request/show/356556 13.2 / openssl
Comment 5 Andreas Stieger 2016-01-28 15:11:51 UTC
Advisory public at https://openssl.org/news/secadv/20160128.txt
Comment 6 Andreas Stieger 2016-01-28 15:12:12 UTC
Advisory public at https://openssl.org/news/secadv/20160128.txt
Comment 7 Marcus Meissner 2016-01-28 15:16:43 UTC
SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
====================================================

Severity: Low

A malicious client can negotiate SSLv2 ciphers that have been disabled on the
server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Nimrod Aviram with further
development by Viktor Dukhovni of the OpenSSL development team.
Comment 8 Bernhard Wiedemann 2016-01-28 16:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (963415) was mentioned in
https://build.opensuse.org/request/show/356565 Factory / openssl
Comment 9 Swamp Workflow Management 2016-02-07 19:12:36 UTC
openSUSE-SU-2016:0362-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 963415
CVE References: CVE-2015-3197
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.30.1
Comment 10 Bernhard Wiedemann 2016-02-08 14:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (963415) was mentioned in
https://build.opensuse.org/request/show/358362 Factory / openssl
Comment 11 Hanns-Joachim Uhl 2016-02-12 12:23:10 UTC
Hello SUSE,
... I got the following questions from the field:
- do you plan to provide an update also for openssl 0.9.8 
  (or for openssl 1.0.1 only) ...?
- do you plan to provide an update for SLES 11 SP3 
  (or for SLES 11 SP4 only) ...?
Please advise ...
Thanks in advance for your support.
Comment 12 Marcus Meissner 2016-02-12 12:30:18 UTC
Yes, we plan to fix this also for openssl 0.9.8.

as this is a low issue, we will do it not right now, but in a later update.

SLES 11 sP3 has entered 3 years of LTSS on January 31st, so if a customer has a contract for LTSS, he will get it with the next openssl update we publish there.
(The general support and maintenance for SLES 11 sP3 has ended.)
Comment 13 Swamp Workflow Management 2016-02-12 13:12:17 UTC
openSUSE-SU-2016:0442-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 963415
CVE References: CVE-2015-3197
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1k-11.78.1
Comment 25 Marcus Meissner 2016-02-29 10:45:47 UTC
Changed QA Reproducer:

Note: we test the _server_ side, not the client.


On system under test:
openssl s_server -ssl2 -cert /etc/ssl/newcert.pem -key /etc/ssl/newkey.pem -no_dhe -cipher RC2-CBC-MD5:DES-CBC3-MD5:DES-CBC-MD5


on a machine remote side that can still talk ssl2:

openssl s_client -ssl2 -connect  $SUT.suse.de:4433 -cipher RC4-MD5

BEFORE:
140475692766864:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:452:
...
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 

AFTER:
140313636910736:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:s2_pkt.c:681:
140313636910736:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:

SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 


Note as indicator the new error message coming from the server.

I think the issue was not there before either, as the SSL connect then terminated anyway.
Comment 27 Swamp Workflow Management 2016-03-01 17:12:48 UTC
SUSE-SU-2016:0617-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 952871,958501,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-27.13.1
Comment 28 Swamp Workflow Management 2016-03-01 17:16:34 UTC
SUSE-SU-2016:0620-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 958501,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openssl-1.0.1i-44.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssl-1.0.1i-44.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssl-1.0.1i-44.1
Comment 29 Swamp Workflow Management 2016-03-01 17:19:36 UTC
SUSE-SU-2016:0621-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 952871,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssl1-1.0.1g-0.40.1
Comment 30 Swamp Workflow Management 2016-03-01 18:12:34 UTC
SUSE-SU-2016:0624-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 952871,963415,967787,968046,968047,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0705,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Server 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    openssl-0.9.8j-0.89.1
Comment 31 Swamp Workflow Management 2016-03-02 13:12:12 UTC
openSUSE-SU-2016:0628-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 958501,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Leap 42.1 (src):    openssl-1.0.1i-12.1
Comment 32 Swamp Workflow Management 2016-03-02 17:12:18 UTC
SUSE-SU-2016:0631-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server for SAP 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.41.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.41.1
Comment 33 Swamp Workflow Management 2016-03-02 22:12:44 UTC
openSUSE-SU-2016:0637-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 957812,957815,963415,968046,968047,968048,968050,968265,968374
CVE References: CVE-2015-1794,CVE-2015-3194,CVE-2015-3195,CVE-2015-3197,CVE-2016-0701,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Evergreen 11.4 (src):    openssl-1.0.1p-71.1
Comment 34 Swamp Workflow Management 2016-03-03 13:12:10 UTC
openSUSE-SU-2016:0640-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 952871,963415,967787,968046,968048,968374
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0076,CVE-2014-0195,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3195,CVE-2015-3197,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Leap 42.1 (src):    libopenssl0_9_8-0.9.8zh-14.1
openSUSE 13.2 (src):    libopenssl0_9_8-0.9.8zh-9.3.1
Comment 35 Swamp Workflow Management 2016-03-03 14:11:55 UTC
SUSE-SU-2016:0641-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 952871,963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    compat-openssl098-0.9.8j-94.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-94.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    compat-openssl098-0.9.8j-94.1
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-94.1
Comment 36 Marcus Meissner 2016-03-07 15:45:45 UTC
released
Comment 37 Swamp Workflow Management 2016-03-07 17:14:14 UTC
SUSE-SU-2016:0678-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 937492,957812,963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-0287,CVE-2015-3195,CVE-2015-3197,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.94.2
Comment 38 Swamp Workflow Management 2016-03-11 13:14:50 UTC
openSUSE-SU-2016:0720-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 952871,963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Leap 42.1 (src):    compat-openssl098-0.9.8j-9.1
Comment 39 Swamp Workflow Management 2016-04-15 19:10:02 UTC
SUSE-SU-2016:1057-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 952871,963415,967787,968046,968047,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0705,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE OpenStack Cloud 5 (src):    openssl-0.9.8j-0.91.1
SUSE Manager Proxy 2.1 (src):    openssl-0.9.8j-0.91.1
SUSE Manager 2.1 (src):    openssl-0.9.8j-0.91.1
Comment 40 Swamp Workflow Management 2016-05-05 11:09:51 UTC
openSUSE-SU-2016:1239-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    libopenssl0_9_8-0.9.8zh-14.1
Comment 41 Swamp Workflow Management 2016-05-05 11:12:18 UTC
openSUSE-SU-2016:1241-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    libopenssl0_9_8-0.9.8zh-5.3.1
Comment 42 Swamp Workflow Management 2022-02-16 21:21:53 UTC
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.