SCIENTIFIC-LINUX-ERRATA Archives

March 2010

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA Moderate: openssl097a on SL5.x i386/x86_64
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Thu, 25 Mar 2010 10:59:50 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (34 lines) 
Synopsis:	Moderate: openssl097a security update
Issue date:	2010-03-25
CVE Names:	CVE-2009-3555

CVE-2009-3555 TLS: MITM attacks via session renegotiation

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A 
man-in-the-middle attacker could use this flaw to prefix arbitrary plain 
text to a client's session (for example, an HTTPS connection to a 
website). This could force the server to process an attacker's request 
as if authenticated using the victim's credentials. This update 
addresses this flaw by implementing the TLS Renegotiation Indication 
Extension, as defined in RFC 5746. (CVE-2009-3555)

Refer to the following Knowledgebase article for additional details 
about this flaw: http://kbase.redhat.com/faq/docs/DOC-20491

For the update to take effect, all services linked to the openssl097a 
library must be restarted, or the system rebooted.

SL 5.x

     SRPMS:
openssl097a-0.9.7a-9.el5_4.2.src.rpm
     i386:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm
     x86_64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2