README VERSION : 1.1 README CREATION DATE : 2015-12-01 PATCH-ID : 5.20.1.2 PATCH NAME : VRTSperl 5.20.1.2 BASE PACKAGE NAME : VRTSperl BASE PACKAGE VERSION : 5.20.1.1 SUPERSEDED PATCHES : NONE REQUIRED PATCHES : NONE INCOMPATIBLE PATCHES : NONE SUPPORTED PADV : sles12_x86_64 (P-PLATFORM , A-ARCHITECTURE , D-DISTRIBUTION , V-VERSION) PATCH CATEGORY : OTHER PATCH CRITICALITY : OPTIONAL HAS KERNEL COMPONENT : NO ID : NONE REBOOT REQUIRED : NO REQUIRE APPLICATION DOWNTIME : NO PATCH INSTALLATION INSTRUCTIONS: -------------------------------- rpm -Uvh VRTSperl-5.20.1.2-SLES12.x86_64.rpm PATCH UNINSTALLATION INSTRUCTIONS: ---------------------------------- rpm -e VRTSperl SPECIAL INSTRUCTIONS: ----------------------------- NONE SUMMARY OF FIXED ISSUES: ----------------------------------------- PATCH ID:5.20.1.2 3855542 (3860910) The module OpenSSL 1.0.1m in the VRTSperl package has several security issues. SUMMARY OF KNOWN ISSUES: ----------------------------------------- NONE KNOWN ISSUES : -------------- NONE FIXED INCIDENTS: ---------------- PATCH ID:5.20.1.2 * INCIDENT NO:3855542 TRACKING ID:3860910 SYMPTOM: The module OpenSSL 1.0.1m in the VRTSperl package has several security issues. DESCRIPTION: The following major issues exist in OpenSSL 1.0.1m: o Alternate chains certificate forgery (CVE-2015-1793). o HMAC ABI incompatibility. o Malformed ECParameters causes infinite loop (CVE-2015-1788) o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) o CMS verify infinite loop with unknown hash function (CVE-2015-1792) o Race condition handling NewSessionTicket (CVE-2015-1791) RESOLUTION: The code is modified to upgrade bundled OpenSSL from 1.0.1m to 1.0.1p which has fix several security issues. INCIDENTS FROM OLD PATCHES: --------------------------- NONE