Bug 977614 – VUL-0: CVE-2016-2105: openssl: EVP_EncodeUpdate overflow

Bug 977614 - (CVE-2016-2105) VUL-0: CVE-2016-2105: openssl: EVP_EncodeUpdate overflow

(CVE-2016-2105)
Summary:	VUL-0: CVE-2016-2105: openssl: EVP_EncodeUpdate overflow

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-2105:3.3:(AV:L/A...
Keywords:

Depends on:
Blocks:	977584
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-28 11:16 UTC by Andreas Stieger
Modified:	2022-02-16 21:23 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
reproducer.c (632 bytes, text/plain) 2016-05-02 09:23 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Andreas Stieger 2016-04-28 12:10:59 UTC

CRD: 2016-05-03 15:00 UTC

Comment 2 Swamp Workflow Management 2016-04-28 22:00:24 UTC

bugbot adjusting priority

Comment 11 Marcus Meissner 2016-05-02 09:23:19 UTC

Created attachment 675180 [details]
reproducer.c

gcc -O2 -o xx xx.c -lcrypto 

./xx

before:
outbufcnt 65
Segmentation fault

after:
./xx
outbufcnt 65
outbufcnt 0x0

(no segfault)

Comment 15 Swamp Workflow Management 2016-05-03 08:03:15 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-05-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62679

Comment 16 Marcus Meissner 2016-05-03 11:15:17 UTC

public in git

commit fec6d1e868aad9c133e9096fc089ff52293612bf
Author: Matt Caswell <matt@openssl.org>
Date:   Mon Apr 25 11:54:30 2016 +0100

    Add documentation for EVP_EncodeInit() and similar functions
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>

commit 5d20e98465ad2d9af52190d42ca2b9deedcf9e8e
Author: Matt Caswell <matt@openssl.org>
Date:   Mon Apr 25 09:06:29 2016 +0100

    Ensure EVP_EncodeUpdate handles an output length that is too long
    
    With the EVP_EncodeUpdate function it is the caller's responsibility to
    determine how big the output buffer should be. The function writes the
    amount actually used to |*outl|. However this could go negative with a
    sufficiently large value for |inl|. We add a check for this error
    condition.
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>

commit 5b814481f3573fa9677f3a31ee51322e2a22ee6a
Author: Matt Caswell <matt@openssl.org>
Date:   Fri Mar 4 10:17:17 2016 +0000

    Avoid overflow in EVP_EncodeUpdate
    
    An overflow can occur in the EVP_EncodeUpdate function which is used for
    Base64 encoding of binary data. If an attacker is able to supply very large
    amounts of input data then a length check can overflow resulting in a heap
    corruption. Due to the very large amounts of data involved this will most
    likely result in a crash.
    
    Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the
    PEM_write_bio* family of functions. These are mainly used within the
    OpenSSL command line applications, so any application which processes
    data from an untrusted source and outputs it as a PEM file should be
    considered vulnerable to this issue.
    
    User applications that call these APIs directly with large amounts of
    untrusted data may also be vulnerable.
    
    Issue reported by Guido Vranken.
    
    CVE-2016-2105
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>

Comment 17 Bernhard Wiedemann 2016-05-03 15:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (977614) was mentioned in
https://build.opensuse.org/request/show/393430 13.2+42.1 / openssl

Comment 18 Bernhard Wiedemann 2016-05-03 16:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (977614) was mentioned in
https://build.opensuse.org/request/show/393456 Factory / openssl

Comment 19 Bernhard Wiedemann 2016-05-03 18:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (977614) was mentioned in
https://build.opensuse.org/request/show/393469 13.2+42.1 / libopenssl0_9_8

Comment 22 Swamp Workflow Management 2016-05-03 20:09:05 UTC

SUSE-SU-2016:1206-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 889013,971354,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssl1-1.0.1g-0.47.1

Comment 23 Swamp Workflow Management 2016-05-04 14:14:57 UTC

SUSE-SU-2016:1228-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-27.16.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-27.16.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-27.16.1

Comment 24 Swamp Workflow Management 2016-05-04 16:10:24 UTC

SUSE-SU-2016:1233-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openssl-1.0.1i-47.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssl-1.0.1i-47.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssl-1.0.1i-47.1

Comment 25 Swamp Workflow Management 2016-05-05 11:08:00 UTC

openSUSE-SU-2016:1237-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 976942,976943,977614,977615,977616,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    openssl-1.0.1p-74.1

Comment 26 Swamp Workflow Management 2016-05-05 11:09:05 UTC

openSUSE-SU-2016:1238-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.36.1

Comment 27 Swamp Workflow Management 2016-05-05 11:10:57 UTC

openSUSE-SU-2016:1239-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    libopenssl0_9_8-0.9.8zh-14.1

Comment 28 Swamp Workflow Management 2016-05-05 11:11:42 UTC

openSUSE-SU-2016:1240-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 976942,976943,977614,977615,977616,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1k-11.87.1

Comment 29 Swamp Workflow Management 2016-05-05 11:13:19 UTC

openSUSE-SU-2016:1241-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    libopenssl0_9_8-0.9.8zh-5.3.1

Comment 30 Swamp Workflow Management 2016-05-05 16:08:31 UTC

openSUSE-SU-2016:1242-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    libopenssl0_9_8-0.9.8zh-17.1
openSUSE 13.2 (src):    libopenssl0_9_8-0.9.8zh-9.6.1

Comment 31 Swamp Workflow Management 2016-05-05 16:09:24 UTC

openSUSE-SU-2016:1243-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    openssl-1.0.1i-15.1

Comment 32 Swamp Workflow Management 2016-05-09 10:08:48 UTC

SUSE-SU-2016:1267-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-97.1

Comment 33 Swamp Workflow Management 2016-05-10 22:08:28 UTC

openSUSE-SU-2016:1273-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    compat-openssl098-0.9.8j-12.2

Comment 34 Bernhard Wiedemann 2016-05-11 10:00:31 UTC

This is an autogenerated message for OBS integration:
This bug (977614) was mentioned in
https://build.opensuse.org/request/show/394817 42.2 / openssl

Comment 35 Swamp Workflow Management 2016-05-12 18:08:49 UTC

SUSE-SU-2016:1290-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.97.1
SUSE OpenStack Cloud 5 (src):    openssl-0.9.8j-0.97.1
SUSE Manager Proxy 2.1 (src):    openssl-0.9.8j-0.97.1
SUSE Manager 2.1 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    openssl-0.9.8j-0.97.1

Comment 36 Marcus Meissner 2016-05-13 09:36:17 UTC

released updates

Comment 37 Swamp Workflow Management 2016-05-19 17:10:38 UTC

SUSE-SU-2016:1360-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 968050,973223,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.96.1

Comment 38 Swamp Workflow Management 2016-06-14 09:09:09 UTC

openSUSE-SU-2016:1566-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 968047,968048,968050,977614,977616
CVE References: CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-2105,CVE-2016-2107
Sources used:
openSUSE Leap 42.1 (src):    nodejs-4.4.5-27.1
openSUSE 13.2 (src):    nodejs-4.4.5-18.1

Comment 39 Bernhard Wiedemann 2016-10-27 14:02:26 UTC

This is an autogenerated message for OBS integration:
This bug (977614) was mentioned in
https://build.opensuse.org/request/show/437518 13.2+42.1 / mysql-community-server

Comment 40 Bernhard Wiedemann 2016-11-02 23:02:37 UTC

This is an autogenerated message for OBS integration:
This bug (977614) was mentioned in
https://build.opensuse.org/request/show/438417 42.2 / mysql-community-server

Comment 41 Swamp Workflow Management 2016-11-10 16:10:58 UTC

openSUSE-SU-2016:2769-1: An update that solves 27 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1005555,1005557,1005558,1005560,1005561,1005562,1005563,1005566,1005567,1005569,1005570,1005581,1005582,1005583,1005586,971456,977614,983938,986251,989911,989913,989914,989915,989919,989921,989922,989925,989926,990890,998309,999666
CVE References: CVE-2016-2105,CVE-2016-3459,CVE-2016-3477,CVE-2016-3486,CVE-2016-3492,CVE-2016-3501,CVE-2016-3521,CVE-2016-3614,CVE-2016-3615,CVE-2016-5439,CVE-2016-5440,CVE-2016-5507,CVE-2016-5584,CVE-2016-5609,CVE-2016-5612,CVE-2016-5616,CVE-2016-5617,CVE-2016-5626,CVE-2016-5627,CVE-2016-5629,CVE-2016-5630,CVE-2016-6304,CVE-2016-6662,CVE-2016-7440,CVE-2016-8283,CVE-2016-8284,CVE-2016-8288
Sources used:
openSUSE Leap 42.1 (src):    mysql-community-server-5.6.34-19.2
openSUSE 13.2 (src):    mysql-community-server-5.6.34-2.23.1

Comment 42 Swamp Workflow Management 2016-11-12 14:07:19 UTC

openSUSE-SU-2016:2788-1: An update that solves 27 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1005555,1005557,1005558,1005560,1005561,1005562,1005563,1005566,1005567,1005569,1005570,1005581,1005582,1005583,1005586,971456,977614,983938,986251,989911,989913,989914,989915,989919,989921,989922,989925,989926,990890,998309,999666
CVE References: CVE-2016-2105,CVE-2016-3459,CVE-2016-3477,CVE-2016-3486,CVE-2016-3492,CVE-2016-3501,CVE-2016-3521,CVE-2016-3614,CVE-2016-3615,CVE-2016-5439,CVE-2016-5440,CVE-2016-5507,CVE-2016-5584,CVE-2016-5609,CVE-2016-5612,CVE-2016-5616,CVE-2016-5617,CVE-2016-5626,CVE-2016-5627,CVE-2016-5629,CVE-2016-5630,CVE-2016-6304,CVE-2016-6662,CVE-2016-7440,CVE-2016-8283,CVE-2016-8284,CVE-2016-8288
Sources used:
openSUSE Leap 42.2 (src):    mysql-community-server-5.6.34-19.2

Comment 44 Swamp Workflow Management 2022-02-16 21:23:35 UTC

SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.