Bug 1150247 - (CVE-2019-1549) VUL-0: CVE-2019-1549: openssl-1_1: fork problem with random generator
(CVE-2019-1549)
VUL-0: CVE-2019-1549: openssl-1_1: fork problem with random generator
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/242156/
CVSSv2:NVD:CVE-2019-1549:5.0:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-11 05:45 UTC by Marcus Meissner
Modified: 2023-01-17 15:36 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-09-11 05:45:13 UTC
CVE-2019-1549

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
intended to include protection in the event of a fork() system call in order to
ensure that the parent and child processes did not share the same RNG state.
However this protection was not being used in the default case. A partial
mitigation for this issue is that the output from a high precision timer is
mixed into the RNG state so the likelihood of a parent and child process sharing
state is significantly reduced. If an application already calls
OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem
does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1549.html
http://www.cvedetails.com/cve/CVE-2019-1549/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549
https://www.openssl.org/news/secadv/20190910.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
Comment 1 Marcus Meissner 2019-09-11 05:45:37 UTC
Only openssl 1.1.1 is affected, all older versions are not affected.

sles12 sp4 and 15sp2 only.
Comment 5 Swamp Workflow Management 2020-01-14 20:16:18 UTC
SUSE-SU-2020:0099-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1133925,1140277,1150003,1150247,1150250,1158809
CVE References: CVE-2019-1547,CVE-2019-1549,CVE-2019-1551,CVE-2019-1563
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openssl-1_1-1.1.1d-2.20.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    openssl-1_1-1.1.1d-2.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    openssl-1_1-1.1.1d-2.20.1
SUSE Linux Enterprise Server 12-SP4 (src):    openssl-1_1-1.1.1d-2.20.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    openssl-1_1-1.1.1d-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2020-02-06 11:00:44 UTC
done