SCIENTIFIC-LINUX-ERRATA Archives

October 2007

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA for openssl on SL3,x i386/x86_64
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Mon, 22 Oct 2007 15:12:41 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (37 lines) 
Synopsis:	Moderate: openssl security update
Issue date:	2007-10-22
CVE Names:	CVE-2007-3108 CVE-2007-5135

A flaw was found in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer with a single byte (CVE-2007-5135). Few
applications make use of this vulnerable function and generally it is used
only when applications are compiled for debugging.

A number of possible side-channel attacks were discovered affecting
OpenSSL. A local attacker could possibly obtain RSA private keys being
used on a system. In practice these attacks would be difficult to perform
outside of a lab environment. This update contains backported patches
designed to mitigate these issues.  (CVE-2007-3108).

Note: After installing this update, users are advised to either restart all
services that use OpenSSL or restart their system.

SL 3.0.x

   SRPMS:
openssl-0.9.7a-33.24.src.rpm
   i386:
openssl-0.9.7a-33.24.i386.rpm
openssl-0.9.7a-33.24.i686.rpm
openssl-devel-0.9.7a-33.24.i386.rpm
openssl-perl-0.9.7a-33.24.i386.rpm
   x86_64:
openssl-0.9.7a-33.24.i686.rpm
openssl-0.9.7a-33.24.x86_64.rpm
openssl-devel-0.9.7a-33.24.x86_64.rpm
openssl-perl-0.9.7a-33.24.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2