Synopsis: Moderate: openssl security update
Issue date: 2007-10-22
CVE Names: CVE-2007-3108 CVE-2007-5135
A flaw was found in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer with a single byte (CVE-2007-5135). Few
applications make use of this vulnerable function and generally it is used
only when applications are compiled for debugging.
A number of possible side-channel attacks were discovered affecting
OpenSSL. A local attacker could possibly obtain RSA private keys being
used on a system. In practice these attacks would be difficult to perform
outside of a lab environment. This update contains backported patches
designed to mitigate these issues. (CVE-2007-3108).
Note: After installing this update, users are advised to either restart all
services that use OpenSSL or restart their system.
SL 3.0.x
SRPMS:
openssl-0.9.7a-33.24.src.rpm
i386:
openssl-0.9.7a-33.24.i386.rpm
openssl-0.9.7a-33.24.i686.rpm
openssl-devel-0.9.7a-33.24.i386.rpm
openssl-perl-0.9.7a-33.24.i386.rpm
x86_64:
openssl-0.9.7a-33.24.i686.rpm
openssl-0.9.7a-33.24.x86_64.rpm
openssl-devel-0.9.7a-33.24.x86_64.rpm
openssl-perl-0.9.7a-33.24.x86_64.rpm
-Connie Sieh
-Troy Dawson