Which patch for DROWN vulnerability?

Hi everybody, I am currently running a SLES 11 SP3 server with activated support subscription, and I wish to apply the patch for DROWN.
In SLES announcement SLES 11 SP3 is not mentioned:

And if I use Yast to search for the online patch, for openSSL I have these ones:


slessp3-libopenssl-devel
slessp3-openssl-12059 
slessp3-openssl-12193 
slessp3-openssl-12264   

That, as far as I understood, are not related to DROWN.
But if I search with patch finder, I can find a patch for SLES 11 SP3: https://download.suse.com/Download?buildid=Pvwq6yfsO_s~
Is that patch the right one for my SLES?

Hi
If you scroll down the page, the above link does indicate that it
covers the drown cve.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.53-60.30-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Ok! Thanks for the quick reply. I applied the patch by downloading all files and using

rpm -ivh *.rpm

Hello,

I have a similar question, related to update for bind CVE-2017-3135.

My system is based on SUSE Linux Enterprise Server 11-SP3. But the CVE-2017-3135 is for SUSE Linux Enterprise Server 11-SP3-LTSS (Long Term Service Pack Support) only.

My question is whether my 11SP3 version is also affected or not in this case? Since11 SP3 is still supported officially till 2019 year , and the 11SP3 LTSS till 2022, is there any difference between them for patches released till 2019? I mean if patches released for 11SP3 LTSS are valid for 11SP3? (until 2019 year at least)

Thanks in advance

My understanding is that LTSS is more about what you’ve paid for than
compatibility; if you have SP3, you can pay for LTSS and get longer-term
support rather than upgrading to SP4 or later versions of SLES. As a
result, the patches should be as valid as anything.

Regardless of any of that, you can check an RPM’s changelog to see fixes
that went into it. For example, if ‘bind’ is the package, try this and
look for the bug number or CVE number in the changelog output; there may
be a lot of output, so perhaps pipe it to a pager like ‘less’:

rpm -q --changelog bind


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

On 19/04/17 10:34, bartosz kaszczyszyn1 wrote:
[color=blue]

I have a similar question, related to update for bind CVE-2017-3135.

My system is based on SUSE Linux Enterprise Server 11-SP3. But the
CVE-2017-3135 is for SUSE Linux Enterprise Server 11-SP3-LTSS (Long Term
Service Pack Support) only.

My question is whether my 11SP3 version is also affected or not in this
case? Since11 SP3 is still supported officially till 2019 year , and the
11SP3 LTSS till 2022, is there any difference between them for patches
released till 2019? I mean if patches released for 11SP3 LTSS are valid
for 11SP3? (until 2019 year at least)[/color]

Firstly General Support for SLES11 SP3 ended in January 2016, six months
after SLES11 SP4 was released. This is as per SUSE’s Product Support
Lifecycle - see https://www.suse.com/lifecycle/ and
https://www.suse.com/support/policy.html

According to https://www.suse.com/security/cve/CVE-2017-3135/ no fix
will be made available for SLES11 SP3 unless you have Long Term Service
Pack Support.

From Comment 4 of Bug 1024130[1] it would seem that "only uncommon bind
configurations are affected that employ both of:

  • DNS64 (a transitional technique that allows IPv6 only clients to talk
    to IPv4-only nameservers)
  • RPZ (response policy zones, a technique that allows custom DNS replies
    e.g. for traffic filtering)"

HTH.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1024130#c4

Simon
SUSE Knowledge Partner


If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

Thank you, for these quick and valuable answers.

Best regards