Bug 880891 - (CVE-2014-0195) VUL-0: OpenSSL: OpenSSL security release June 5th
(CVE-2014-0195)
VUL-0: OpenSSL: OpenSSL security release June 5th
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Critical
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:57667 maint...
: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks: 905018
  Show dependency treegraph
 
Reported: 2014-06-02 07:47 UTC by Johannes Segitz
Modified: 2022-02-16 21:15 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Patch (6.12 KB, patch)
2014-06-03 08:47 UTC, Johannes Segitz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Swamp Workflow Management 2014-06-03 08:57:26 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57639
Comment 6 SMASH SMASH 2014-06-03 09:00:18 UTC
Affected packages:

SLE-11-SP3: openssl
SLE-11-SP2: openssl
SLE-11-SP1: openssl
SLE-10-SP3-TERADATA: openssl
SLE-9-SP3-TERADATA: openssl
SLE-10-SP4: openssl
Comment 12 Shawn Chang 2014-06-03 16:20:17 UTC
Submit requests for SLE11/SLE10/SLE9 already.
Comment 21 Marcus Meissner 2014-06-05 11:32:35 UTC
This just went public, see www.openssl.org

Please submit for openSUSE 12.3, 13.1, Factory and also SLES 12.  (I would say minor version upgrades to 1.0.1h)
Comment 23 Marcus Meissner 2014-06-05 13:09:44 UTC
http://www.openssl.org/news/secadv_20140605.txt

OpenSSL Security Advisory [05 Jun 2014]
========================================

SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.

DTLS recursion flaw (CVE-2014-0221)
====================================

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
issue was reported to OpenSSL on 9th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

DTLS invalid fragment vulnerability (CVE-2014-0195)
====================================================

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Jüri Aedla for reporting this issue.  This issue was
reported to OpenSSL on 23rd April 2014 via HP ZDI.

The fix was developed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  The fix was developed by
Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===============================================================================
 
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  

Anonymous ECDH denial of service (CVE-2014-3470)
================================================

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this
issue.  This issue was reported to OpenSSL on 28th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Other issues
============

OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for
CVE-2014-0076: Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.  This issue was previously
fixed in OpenSSL 1.0.1g.


References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140605.txt

Note: the online version of the advisory may be updated with additional
details over time.
Comment 24 Bernhard Wiedemann 2014-06-05 16:00:53 UTC
This is an autogenerated message for OBS integration:
This bug (880891) was mentioned in
https://build.opensuse.org/request/show/236399 Factory / openssl
Comment 25 Swamp Workflow Management 2014-06-05 18:58:32 UTC
Update released for: libopenssl-devel, libopenssl0_9_8, libopenssl0_9_8-32bit, libopenssl0_9_8-64bit, libopenssl0_9_8-hmac, libopenssl0_9_8-hmac-32bit, libopenssl0_9_8-hmac-64bit, libopenssl0_9_8-hmac-x86, libopenssl0_9_8-x86, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 26 Swamp Workflow Management 2014-06-05 19:47:04 UTC
Update released for: libopenssl-devel, libopenssl0_9_8, libopenssl0_9_8-32bit, libopenssl0_9_8-hmac, libopenssl0_9_8-hmac-32bit, libopenssl0_9_8-hmac-x86, libopenssl0_9_8-x86, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 27 Swamp Workflow Management 2014-06-05 19:57:35 UTC
Update released for: libopenssl-devel, libopenssl0_9_8, libopenssl0_9_8-32bit, libopenssl0_9_8-hmac, libopenssl0_9_8-hmac-32bit, libopenssl0_9_8-hmac-x86, libopenssl0_9_8-x86, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 29 Swamp Workflow Management 2014-06-05 22:04:28 UTC
SUSE-SU-2014:0759-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 880891
CVE References: CVE-2014-0221,CVE-2014-0224,CVE-2014-3470
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openssl-0.9.8j-0.58.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openssl-0.9.8j-0.58.1
SUSE Linux Enterprise Server 11 SP3 (src):    openssl-0.9.8j-0.58.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    openssl-0.9.8j-0.58.1
Comment 31 Swamp Workflow Management 2014-06-05 23:07:27 UTC
SUSE-SU-2014:0761-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (critical)
Bug References: 859228,859924,860332,862181,869945,870192,880891
CVE References: CVE-2014-0076,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    openssl-0.9.8j-0.58.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    openssl-0.9.8j-0.58.1
Comment 32 Swamp Workflow Management 2014-06-06 03:47:16 UTC
Update released for: libopenssl1-devel, libopenssl1-devel-32bit, libopenssl1-devel-64bit, libopenssl1_0_0, libopenssl1_0_0-32bit, libopenssl1_0_0-64bit, libopenssl1_0_0-x86, openssl1, openssl1-debuginfo, openssl1-debugsource, openssl1-doc
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SECURITY (i386, ia64, ppc64, s390x, x86_64)
Comment 34 Swamp Workflow Management 2014-06-06 07:04:36 UTC
SUSE-SU-2014:0762-1: An update that fixes 5 vulnerabilities is now available.

Category: security (critical)
Bug References: 876282,880891
CVE References: CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470
Sources used:
SUSE Linux Enterprise Security Module 11 SP3 (src):    openssl1-1.0.1g-0.16.1
Comment 35 Swamp Workflow Management 2014-06-06 09:04:51 UTC
openSUSE-SU-2014:0764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 880891
CVE References: CVE-2014-0195,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1h-11.48.1
openSUSE 12.3 (src):    openssl-1.0.1h-1.60.1
Comment 36 Bernhard Wiedemann 2014-06-06 12:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (880891) was mentioned in
https://build.opensuse.org/request/show/236457 Factory / openssl
Comment 37 Swamp Workflow Management 2014-06-06 15:04:21 UTC
Update released for: openssl, openssl-devel, openssl-doc
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 38 Swamp Workflow Management 2014-06-06 18:04:24 UTC
Update released for: openssl, openssl-32bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-doc, openssl-x86
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 39 Swamp Workflow Management 2014-06-06 18:54:42 UTC
Update released for: openssl, openssl-devel, openssl-doc
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 40 Swamp Workflow Management 2014-06-06 19:48:45 UTC
Update released for: openssl, openssl-32bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-doc, openssl-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 41 Swamp Workflow Management 2014-06-06 19:52:26 UTC
Update released for: openssl, openssl-32bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-doc, openssl-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 42 Swamp Workflow Management 2014-06-06 23:04:27 UTC
SUSE-SU-2014:0759-2: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 880891
CVE References: CVE-2014-0221,CVE-2014-0224,CVE-2014-3470
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.82.4
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    openssl-0.9.8a-18.45.77.1
Comment 45 Marcus Meissner 2014-06-07 10:15:01 UTC
Posted a note for CVE-2014-0195:

"According to our research, openssl before 0.9.8o is not affected by this overflow problem. The DTLS fragment reassembly was rewritten for 0.9.8o and older versions used different methods. 
So openssl 0.9.8j as used by SUSE Linux Enterprise 11 and older versions are not affected. Please also not that this problem only affects the Datagram TLS (over UDP) not the regular TLS over TCP which is more common."
Comment 46 Swamp Workflow Management 2014-06-09 17:43:14 UTC
An update workflow for this issue was started.
This issue was rated as critical.
Please submit fixed packages until 2014-06-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57757
Comment 53 Bernhard Wiedemann 2014-06-12 15:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (880891) was mentioned in
https://build.opensuse.org/request/show/236989 Factory / openssl
Comment 57 Swamp Workflow Management 2014-06-16 16:40:37 UTC
An update workflow for this issue was started.
This issue was rated as critical.
Please submit fixed packages until 2014-06-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57849
Comment 61 Swamp Workflow Management 2014-06-24 08:18:31 UTC
Update released for: libopenssl0_9_8, libopenssl0_9_8-32bit, libopenssl0_9_8-hmac, libopenssl0_9_8-hmac-32bit, libopenssl0_9_8-hmac-x86, libopenssl0_9_8-x86, openssl, openssl-doc
Products:
Open-Enterprise-Server 11-SP1 (x86_64)
Comment 65 Swamp Workflow Management 2014-06-25 14:41:07 UTC
Update released for: openssl, openssl-doc, openssl-devel, openssl-32bit, openssl-devel-32bit
Products:
Open-Enterprise-Server 2-SP3 (i386, x86_64)
Comment 71 Swamp Workflow Management 2014-12-04 19:05:03 UTC
SUSE-SU-2014:1557-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 802184,880891,890764,901223,901277,905106
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP1 (src):    compat-openssl097g-0.9.7g-146.22.25.1
Comment 72 Swamp Workflow Management 2014-12-04 23:05:04 UTC
SUSE-SU-2014:1557-2: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 802184,880891,890764,901223,901277,905106
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    compat-openssl097g-0.9.7g-146.22.25.1
Comment 73 Swamp Workflow Management 2015-03-23 23:05:33 UTC
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP2 (src):    compat-openssl097g-0.9.7g-146.22.29.1
Comment 74 Swamp Workflow Management 2015-04-21 17:05:39 UTC
SUSE-SU-2015:0743-1: An update that fixes 40 vulnerabilities is now available.

Category: security (important)
Bug References: 873351,876282,880891,896400,904627,906117,906194,911442,911556,915911,915912,915913,915914,919229
CVE References: CVE-2010-5298,CVE-2012-5615,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-2494,CVE-2014-3470,CVE-2014-4207,CVE-2014-4258,CVE-2014-4260,CVE-2014-4274,CVE-2014-4287,CVE-2014-6463,CVE-2014-6464,CVE-2014-6469,CVE-2014-6474,CVE-2014-6478,CVE-2014-6484,CVE-2014-6489,CVE-2014-6491,CVE-2014-6494,CVE-2014-6495,CVE-2014-6496,CVE-2014-6500,CVE-2014-6505,CVE-2014-6507,CVE-2014-6520,CVE-2014-6530,CVE-2014-6551,CVE-2014-6555,CVE-2014-6559,CVE-2014-6564,CVE-2014-6568,CVE-2015-0374,CVE-2015-0381,CVE-2015-0382,CVE-2015-0391,CVE-2015-0411,CVE-2015-0432
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    mariadb-10.0.16-15.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mariadb-10.0.16-15.1
SUSE Linux Enterprise Server 12 (src):    mariadb-10.0.16-15.1
SUSE Linux Enterprise Desktop 12 (src):    mariadb-10.0.16-15.1
Comment 75 Swamp Workflow Management 2022-02-16 21:15:06 UTC
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.