Synopsis:	Moderate: openssl security update
Issue date:	2010-12-13
CVE Names:	CVE-2008-7270 CVE-2009-3245 CVE-2010-4180

A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server 
code. A remote attacker could possibly use this flaw to change the 
ciphersuite associated with a cached session stored on the server, if 
the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, 
possibly forcing the client to use a weaker ciphersuite after resuming 
the session. (CVE-2010-4180, CVE-2008-7270)

Note: With this update, setting the 
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this 
bug workaround can no longer be enabled.

It was discovered that OpenSSL did not always check the return value of 
the bn_wexpand() function. An attacker able to trigger a memory 
allocation failure in that function could possibly crash an application 
using the OpenSSL library and its UBSEC hardware engine support. 
(CVE-2009-3245 - SL4 Only)

For the update to take effect, all services linked to the OpenSSL 
library must be restarted, or the system rebooted.

SL 4.x

      SRPMS:
openssl-0.9.7a-43.17.el4_8.6.src.rpm
      i386:
openssl-0.9.7a-43.17.el4_8.6.i386.rpm
openssl-0.9.7a-43.17.el4_8.6.i686.rpm
openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm
openssl-perl-0.9.7a-43.17.el4_8.6.i386.rpm
      x86_64:
openssl-0.9.7a-43.17.el4_8.6.i686.rpm
openssl-0.9.7a-43.17.el4_8.6.x86_64.rpm
openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm
openssl-devel-0.9.7a-43.17.el4_8.6.x86_64.rpm
openssl-perl-0.9.7a-43.17.el4_8.6.x86_64.rpm

SL 5.x

      SRPMS:
openssl-0.9.8e-12.el5_5.7.src.rpm
      i386:
openssl-0.9.8e-12.el5_5.7.i386.rpm
openssl-0.9.8e-12.el5_5.7.i686.rpm
openssl-devel-0.9.8e-12.el5_5.7.i386.rpm
openssl-perl-0.9.8e-12.el5_5.7.i386.rpm
      x86_64:
openssl-0.9.8e-12.el5_5.7.i686.rpm
openssl-0.9.8e-12.el5_5.7.x86_64.rpm
openssl-devel-0.9.8e-12.el5_5.7.i386.rpm
openssl-devel-0.9.8e-12.el5_5.7.x86_64.rpm
openssl-perl-0.9.8e-12.el5_5.7.x86_64.rpm

-Connie Sieh
-Troy Dawson