Looking at Novell’s web site, it says we have to be at openssl-0.9.8j-0.58.1 or greater to be in the clear for CVE-2014-0224 (openssl), even though it says in the description “OpenSSL before 0.9.8za” is vulnerable. openssl-0.9.8j-0.58.1 is listed in the fixed package versions, and that is the version we are at, but I wanted to verify. Doesn’t 0.9.8j come before 0.9.8za?
The Novell advisory is at the following url:
Hi
Better to refer to the SUSE one 
https://www.suse.com/support/update/announcement/2014/suse-su-20140759-1.html
I would guess that’s a typo should be an ‘a’ rather than ‘za’ referring
to the other SUSE releases which you can see from the list here;
https://www.suse.com/support/security/advisories/
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-11-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
On 12/06/2014 00:00, malcolmlewis wrote:
[color=blue]
I would guess that’s a typo should be an ‘a’ rather than ‘za’ referring
to the other SUSE releases which you can see from the list here;
https://www.suse.com/support/security/advisories/[/color]
The reference to ‘za’ is not a typo - OpenSSL 0.9.8za is the latest
version of the OpenSSL 0.9.8 branch available via openssl.org.
Simon
SUSE Knowledge Partner
On 11/06/2014 23:24, jeffisaacs wrote:
[color=blue]
Looking at Novell’s web site, it says we have to be at
openssl-0.9.8j-0.58.1 or greater to be in the clear for CVE-2014-0224
(openssl), even though it says in the description “OpenSSL before
0.9.8za” is vulnerable. openssl-0.9.8j-0.58.1 is listed in the fixed
package versions, and that is the version we are at, but I wanted to
verify. Doesn’t 0.9.8j come before 0.9.8za?The Novell advisory is at the following url:
http://support.novell.com/security/cve/CVE-2014-0224.html[/color]
Whilst at first glance the updated OpenSSL 0.9.8j-0.58.1 would appear to
still be vulnerable given the version number it’s why you should never
simply trust the version number when checking for vulnerabilities. For
stability reasons SUSE backport security fixes from later versions of
software into earlier code.
So whilst SUSE’s OpenSSL 0.9.8j-0.58.1 would appear to be vulnerable
since it’s 0.9.8j it’s actually 0.9.8j plus fixes from 0.9.8k through
0.9.8za.
Checking the RPM changelog of the openssl package on a SLES11 SP3 server
it reveals it’s been patched for CVE-2014-0224 (amongst others):
–begin–[color=blue]
rpm -q --changelog openssl | head[/color]
Add patch file: prevent_buffer_overread.patch
Mon Jun 02 2014 shchang@suse.com
Simon
SUSE Knowledge Partner