SUSE: CVE-2018-8970: SUSE Linux Security Advisory
Description
The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not.
Solution(s)
- suse-upgrade-libcrypto43
- suse-upgrade-libcrypto43-32bit
- suse-upgrade-libcrypto43-debuginfo
- suse-upgrade-libcrypto43-debuginfo-32bit
- suse-upgrade-libressl
- suse-upgrade-libressl-debuginfo
- suse-upgrade-libressl-debugsource
- suse-upgrade-libressl-devel
- suse-upgrade-libressl-devel-32bit
- suse-upgrade-libressl-devel-doc
- suse-upgrade-libssl45
- suse-upgrade-libssl45-32bit
- suse-upgrade-libssl45-debuginfo
- suse-upgrade-libssl45-debuginfo-32bit
- suse-upgrade-libtls17
- suse-upgrade-libtls17-32bit
- suse-upgrade-libtls17-debuginfo
- suse-upgrade-libtls17-debuginfo-32bit
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center