Bugzilla – Bug 968046
VUL-0: CVE-2016-0800: openssl: Cross-protocol attack on TLS using SSLv2 (DROWN)
Last modified: 2022-02-16 21:22:32 UTC
For the patch backport, we should use: The disable sslv2 by default: - ssl/ssl_lib.c part ( the flag set of SSL_OP_NO_SSLv2 ) We should also probably take the weak ciphers parts: - ssl/s2_lib.c - as-is Note entirely decided on the sslv3 weak cipher removal, but I would try to go for it. (perhaps also just #if 0 ) - ssl/s3_lib.c The huge other changes I would not go for backporting.
(we are still discussing if disabling sslv2 is OK for our old products )
The main issue here is that the core of the fix is only: Disable SSLv2. Either we do it directly in the library, or in every service :/
.
Created attachment 666838 [details] openssl-CVE-2016-0800-DROWN-disable-ssl2.patch small variant, that features an environment variable check to potentially reenable SSL2 for customers that really need it.
reviewed this with thomas. we will try: - disable ssl2 by default, but specifiy an environemnt variable to enable it for customer services that require it - disable export ciphers by default (even harder), but specify an environemnt variable to enable it for customer services that require it
Created attachment 666843 [details] openssl-CVE-2016-0800-DROWN-disable-ssl2.patch patch proposal, using + /* Default is now SSLv2 disabled (CVE-2016-0800 bsc#968046 DROWN) */ + if (!getenv("OPENSSL_ALLOW_SSL2")) + ret->options |= SSL_OP_NO_SSLv2; and + int support_export = !!getenv("OPENSSL_ALLOW_EXPORT");
QA reproducer: 1. SSL2 disablement I set up e88.suse.de:4433 as a SSL2 capable host. openssl s_client -ssl2 -connect e88:4433 BEFORE openssl s_client -ssl2 -connect e88:4433 works AFTER openssl s_client -ssl2 -connect e88:4433 does not work OPENSSL_ALLOW_SSL2=1 openssl s_client -ssl2 -connect e88:4433 works as before 2. EXPORT ciphers BEFORE: openssl ciphers EXPORT prints something like: EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5 AFRTER: openssl ciphers EXPORT Error in cipher list 25109:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1216: OPENSSL_ALLOW_EXPORT=1 openssl ciphers EXPORT EXP-ADH-DES-CBC-SHA:EXP-ADH-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5
adjusted QA reproducer for ssl2 test: openssl s_client -cipher DES-CBC3-MD5 -connect e88.suse.de:4433 OPENSSL_ALLOW_SSL2=1 openssl s_client -cipher DES-CBC3-MD5 -connect e88.suse.de:4433 before: both work after: only second with env var works
https://drownattack.com/
This issue is now public, see above website for information.
openssl statement: Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) ================================================================ Severity: High A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server. A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on 19/Mar/2015 (see CVE-2016-0703 below). Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they've not done so already. Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers. OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN: SSLv2 is now by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. In addition, weak ciphers in SSLv3 and up are now disabled in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell of OpenSSL. SUSE Note: this also affects openssl 0.9.7 and 0.9.8.
This is an autogenerated message for OBS integration: This bug (968046) was mentioned in https://build.opensuse.org/request/show/363587 13.2 / openssl
openssl is built without sslv2 support since april 11, 2014..any product released after that date needs no patch.
All affected openssl packages are now submitted. Reassigning to security team.
SUSE-SU-2016:0617-1: An update that solves 9 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 952871,958501,963415,968046,968047,968048,968050,968051,968053,968265,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): openssl-1.0.1i-27.13.1 SUSE Linux Enterprise Server 12 (src): openssl-1.0.1i-27.13.1 SUSE Linux Enterprise Desktop 12 (src): openssl-1.0.1i-27.13.1
SUSE-SU-2016:0620-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 958501,963415,968046,968047,968048,968050,968051,968053,968265,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): openssl-1.0.1i-44.1 SUSE Linux Enterprise Server 12-SP1 (src): openssl-1.0.1i-44.1 SUSE Linux Enterprise Desktop 12-SP1 (src): openssl-1.0.1i-44.1
SUSE-SU-2016:0621-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 952871,963415,968046,968047,968048,968050,968051,968053,968265,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssl1-1.0.1g-0.40.1
SUSE-SU-2016:0624-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 952871,963415,967787,968046,968047,968048,968051,968053,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0705,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Studio Onsite 1.3 (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Server 11-SP4 (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Desktop 11-SP4 (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssl-0.9.8j-0.89.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): openssl-0.9.8j-0.89.1
(In reply to Cristian Rodríguez from comment #29) > openssl is built without sslv2 support since april 11, 2014..any product > released after that date needs no patch. That's wrong. Leap 42.1 is affected an serves certificate information when talking to servers: openssl s_client -ssl2 -starttls smtp -connect <server>:25 (SMTP example) (a missing cipher is not enough) 13.2 does not serve certificate information. The "no-ssl2" build flag is nowhere in the 42.1 spec-File, whereas in 13.2 it is. Please provide updates.
(In reply to Andreas Osterburg from comment #35) > (In reply to Cristian Rodríguez from comment #29) > > openssl is built without sslv2 support since april 11, 2014..any product > > released after that date needs no patch. > That's wrong. Leap 42.1 is affected an serves certificate information when > talking to servers: That's because Leap 42.1 inherited openssl from SLE-12. > Please provide updates. Updates are on their way.
Please note that the openssl s_client/s_server -ssl2 uses the SSLv2 methods which will stay being available. The regular methods (SSLv23_method) however will no longer do sslv2 by default at all by setting the SSL_OP_NO_SSLv2 flag.
openSUSE-SU-2016:0627-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 952871,968046,968047,968048,968050,968265,968374 CVE References: CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800 Sources used: openSUSE 13.2 (src): openssl-1.0.1k-2.33.1
openSUSE-SU-2016:0628-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 958501,963415,968046,968047,968048,968050,968051,968053,968265,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800 Sources used: openSUSE Leap 42.1 (src): openssl-1.0.1i-12.1
SUSE-SU-2016:0631-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 963415,968046,968048,968051,968053,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Linux Enterprise Server for SAP 11-SP4 (src): compat-openssl097g-0.9.7g-146.22.41.1 SUSE Linux Enterprise Desktop 11-SP4 (src): compat-openssl097g-0.9.7g-146.22.41.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): compat-openssl097g-0.9.7g-146.22.41.1
openSUSE-SU-2016:0637-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 957812,957815,963415,968046,968047,968048,968050,968265,968374 CVE References: CVE-2015-1794,CVE-2015-3194,CVE-2015-3195,CVE-2015-3197,CVE-2016-0701,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800 Sources used: openSUSE Evergreen 11.4 (src): openssl-1.0.1p-71.1
released almost all packages
openSUSE-SU-2016:0640-1: An update that fixes 37 vulnerabilities is now available. Category: security (important) Bug References: 952871,963415,967787,968046,968048,968374 CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0076,CVE-2014-0195,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3195,CVE-2015-3197,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: openSUSE Leap 42.1 (src): libopenssl0_9_8-0.9.8zh-14.1 openSUSE 13.2 (src): libopenssl0_9_8-0.9.8zh-9.3.1
SUSE-SU-2016:0641-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 952871,963415,968046,968048,968051,968053,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): compat-openssl098-0.9.8j-94.1 SUSE Linux Enterprise Module for Legacy Software 12 (src): compat-openssl098-0.9.8j-94.1 SUSE Linux Enterprise Desktop 12-SP1 (src): compat-openssl098-0.9.8j-94.1 SUSE Linux Enterprise Desktop 12 (src): compat-openssl098-0.9.8j-94.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-03-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62525
SUSE-SU-2016:0678-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 937492,957812,963415,968046,968048,968051,968053,968374 CVE References: CVE-2015-0287,CVE-2015-3195,CVE-2015-3197,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): openssl-0.9.8a-18.94.2
openSUSE-SU-2016:0720-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 952871,963415,968046,968048,968051,968053,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: openSUSE Leap 42.1 (src): compat-openssl098-0.9.8j-9.1
SUSE-SU-2016:1057-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 952871,963415,967787,968046,968047,968048,968051,968053,968374 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0705,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800 Sources used: SUSE OpenStack Cloud 5 (src): openssl-0.9.8j-0.91.1 SUSE Manager Proxy 2.1 (src): openssl-0.9.8j-0.91.1 SUSE Manager 2.1 (src): openssl-0.9.8j-0.91.1
openSUSE-SU-2016:1239-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109 Sources used: openSUSE Evergreen 11.4 (src): libopenssl0_9_8-0.9.8zh-14.1
openSUSE-SU-2016:1241-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617 CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109 Sources used: openSUSE 13.1 (src): libopenssl0_9_8-0.9.8zh-5.3.1
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.