Synopsis:	Moderate: openssl security update
Issue date:	2010-01-19
CVE Names:	CVE-2009-2409 CVE-2009-4355

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests 
(DoS)

It was found that the OpenSSL library did not properly re-initialize its
internal state in the SSL_library_init() function after previous calls 
to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory 
leak for each subsequent SSL connection. This flaw could cause server
applications that call those functions during reload, such as a 
combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to 
consume all available memory, resulting in a denial of service. 
(CVE-2009-4355)

Dan Kaminsky found that browsers could accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser.
OpenSSL now disables the use of the MD2 algorithm inside signatures by
default. (CVE-2009-2409)

For the update to take effect, all services linked to the OpenSSL 
library must be restarted, or the system rebooted.

SL 5.x

     SRPMS:
openssl-0.9.8e-12.el5_4.1.src.rpm
     i386:
openssl-0.9.8e-12.el5_4.1.i386.rpm
openssl-0.9.8e-12.el5_4.1.i686.rpm
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
openssl-perl-0.9.8e-12.el5_4.1.i386.rpm
     x86_64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
openssl-0.9.8e-12.el5_4.1.x86_64.rpm
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
openssl-devel-0.9.8e-12.el5_4.1.x86_64.rpm
openssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm

-Connie Sieh
-Troy Dawson