LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2012

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: openssl on SL5.x, SL6.x i386/x86_64
From:	Patrick Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Wed, 28 Mar 2012 11:37:05 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (66 lines)

Synopsis:    Moderate: openssl security and bug fix update
Issue Date:  2012-03-27
CVE Numbers: CVE-2012-1165
             CVE-2012-0884


OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A NULL pointer dereference flaw was found in the way OpenSSL parsed
Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker
could use this flaw to crash an application that uses OpenSSL to decrypt or
verify S/MIME messages. (CVE-2012-1165)

A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS)
implementations in OpenSSL. An attacker could possibly use this flaw to
perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or
S/MIME message by sending a large number of chosen ciphertext messages to
a service using OpenSSL and measuring error response times. (CVE-2012-0884)

This update also fixes a regression caused by the fix for CVE-2011-4619,
released in a previous update, which caused Server Gated Cryptography
(SGC) handshakes to fail.

All OpenSSL users should upgrade to these updated packages, which contain
backported patches to resolve these issues. For the update to take effect,
all services linked to the OpenSSL library must be restarted, or the system
rebooted.

SL5:
  i386
     openssl-0.9.8e-22.el5_8.1.i386.rpm
     openssl-0.9.8e-22.el5_8.1.i686.rpm
     openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm
     openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm
     openssl-devel-0.9.8e-22.el5_8.1.i386.rpm
     openssl-perl-0.9.8e-22.el5_8.1.i386.rpm
  x86_64
     openssl-0.9.8e-22.el5_8.1.i686.rpm
     openssl-0.9.8e-22.el5_8.1.x86_64.rpm
     openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm
     openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm
     openssl-debuginfo-0.9.8e-22.el5_8.1.x86_64.rpm
     openssl-devel-0.9.8e-22.el5_8.1.i386.rpm
     openssl-devel-0.9.8e-22.el5_8.1.x86_64.rpm
     openssl-perl-0.9.8e-22.el5_8.1.x86_64.rpm
SL6:
  i386
     openssl-1.0.0-20.el6_2.3.i686.rpm
     openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm
     openssl-devel-1.0.0-20.el6_2.3.i686.rpm
     openssl-perl-1.0.0-20.el6_2.3.i686.rpm
     openssl-static-1.0.0-20.el6_2.3.i686.rpm
  x86_64
     openssl-1.0.0-20.el6_2.3.i686.rpm
     openssl-1.0.0-20.el6_2.3.x86_64.rpm
     openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm
     openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm
     openssl-devel-1.0.0-20.el6_2.3.i686.rpm
     openssl-devel-1.0.0-20.el6_2.3.x86_64.rpm
     openssl-perl-1.0.0-20.el6_2.3.x86_64.rpm
     openssl-static-1.0.0-20.el6_2.3.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV