PDA

View Full Version : SLES 11 SP3 Which patch for DROWN vulnerability?



sistemi_yacme
11-Mar-2016, 16:10
Hi everybody, I am currently running a SLES 11 SP3 server with activated support subscription, and I wish to apply the patch for DROWN.
In SLES announcement SLES 11 SP3 is not mentioned:



SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 1

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)


And if I use Yast to search for the online patch, for openSSL I have these ones:




slessp3-libopenssl-devel
slessp3-openssl-12059
slessp3-openssl-12193
slessp3-openssl-12264


That, as far as I understood, are not related to DROWN.
But if I search with patch finder, I can find a patch for SLES 11 SP3: https://download.suse.com/Download?buildid=Pvwq6yfsO_s~
Is that patch the right one for my SLES?

malcolmlewis
11-Mar-2016, 16:28
On Fri 11 Mar 2016 03:14:02 PM CST, sistemi yacme wrote:
<snip>
That, as far as I understood, are not related to DROWN.
But if I search with patch finder, I can find a patch for SLES 11 SP3:
https://download.suse.com/Download?buildid=Pvwq6yfsO_s~
Is that patch the right one for my SLES?

Hi
If you scroll down the page, the above link does indicate that it
covers the drown cve.

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.53-60.30-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

sistemi_yacme
11-Mar-2016, 16:39
Ok! Thanks for the quick reply. I applied the patch by downloading all files and using

rpm -ivh *.rpm

bartosz_kaszczyszyn1
19-Apr-2017, 10:31
Hello,

I have a similar question, related to update for bind CVE-2017-3135.

My system is based on SUSE Linux Enterprise Server 11-SP3. But the CVE-2017-3135 is for SUSE Linux Enterprise Server 11-SP3-LTSS (Long Term Service Pack Support) only.

My question is whether my 11SP3 version is also affected or not in this case? Since11 SP3 is still supported officially till 2019 year , and the 11SP3 LTSS till 2022, is there any difference between them for patches released till 2019? I mean if patches released for 11SP3 LTSS are valid for 11SP3? (until 2019 year at least)

Thanks in advance

ab
19-Apr-2017, 12:38
My understanding is that LTSS is more about what you've paid for than
compatibility; if you have SP3, you can pay for LTSS and get longer-term
support rather than upgrading to SP4 or later versions of SLES. As a
result, the patches should be as valid as anything.

Regardless of any of that, you can check an RPM's changelog to see fixes
that went into it. For example, if 'bind' is the package, try this and
look for the bug number or CVE number in the changelog output; there may
be a lot of output, so perhaps pipe it to a pager like 'less':



rpm -q --changelog bind


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

smflood
19-Apr-2017, 12:42
On 19/04/17 10:34, bartosz kaszczyszyn1 wrote:

> I have a similar question, related to update for bind CVE-2017-3135.
>
> My system is based on SUSE Linux Enterprise Server 11-SP3. But the
> CVE-2017-3135 is for SUSE Linux Enterprise Server 11-SP3-LTSS (Long Term
> Service Pack Support) only.
>
> My question is whether my 11SP3 version is also affected or not in this
> case? Since11 SP3 is still supported officially till 2019 year , and the
> 11SP3 LTSS till 2022, is there any difference between them for patches
> released till 2019? I mean if patches released for 11SP3 LTSS are valid
> for 11SP3? (until 2019 year at least)

Firstly General Support for SLES11 SP3 ended in January 2016, six months
after SLES11 SP4 was released. This is as per SUSE's Product Support
Lifecycle - see https://www.suse.com/lifecycle/ and
https://www.suse.com/support/policy.html

According to https://www.suse.com/security/cve/CVE-2017-3135/ no fix
will be made available for SLES11 SP3 unless you have Long Term Service
Pack Support.

From Comment 4 of Bug 1024130[1] it would seem that "only uncommon bind
configurations are affected that employ both of:

- DNS64 (a transitional technique that allows IPv6 only clients to talk
to IPv4-only nameservers)
- RPZ (response policy zones, a technique that allows custom DNS replies
e.g. for traffic filtering)"

HTH.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1024130#c4
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

bartosz_kaszczyszyn1
19-Apr-2017, 14:24
Thank you, for these quick and valuable answers.

Best regards