SCIENTIFIC-LINUX-ERRATA Archives

March 2013

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA Moderate: openssl on SL5.x, SL6.x i386/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Mon, 4 Mar 2013 16:58:32 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (73 lines) 
Synopsis:          Moderate: openssl security update
Issue Date:        2013-03-04
CVE Numbers:       CVE-2013-0169
                    CVE-2012-4929
                    CVE-2013-0166
--

It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve
plain text from the encrypted packets by using a TLS/SSL or DTLS server 
as a padding oracle. (CVE-2013-0169)

A NULL pointer dereference flaw was found in the OCSP response
verification in OpenSSL. A malicious OCSP server could use this flaw to
crash applications performing OCSP verification by sending a specially-
crafted response. (CVE-2013-0166)

It was discovered that the TLS/SSL protocol could leak information about
plain text when optional compression was used. An attacker able to control
part of the plain text sent over an encrypted TLS/SSL connection could
possibly use this flaw to recover other portions of the plain text.
(CVE-2012-4929)

Note: This update disables zlib compression, which was previously enabled
in OpenSSL by default. Applications using OpenSSL now need to explicitly
enable zlib compression to use it.

It was found that OpenSSL read certain environment variables even when
used by a privileged (setuid or setgid) application. A local attacker
could use this flaw to escalate their privileges. No application shipped
with Scientific Linux 5 and 6 was affected by this problem.

For the update to take effect, all services linked to the OpenSSL
library must be restarted, or the system rebooted.
--

SL5
   x86_64
     openssl-0.9.8e-26.el5_9.1.i686.rpm
     openssl-0.9.8e-26.el5_9.1.x86_64.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i686.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.x86_64.rpm
     openssl-perl-0.9.8e-26.el5_9.1.x86_64.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i386.rpm
     openssl-devel-0.9.8e-26.el5_9.1.i386.rpm
     openssl-devel-0.9.8e-26.el5_9.1.x86_64.rpm
   i386
     openssl-0.9.8e-26.el5_9.1.i386.rpm
     openssl-0.9.8e-26.el5_9.1.i686.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i386.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i686.rpm
     openssl-perl-0.9.8e-26.el5_9.1.i386.rpm
     openssl-devel-0.9.8e-26.el5_9.1.i386.rpm
SL6
   x86_64
     openssl-1.0.0-27.el6_4.2.i686.rpm
     openssl-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-debuginfo-1.0.0-27.el6_4.2.i686.rpm
     openssl-debuginfo-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-devel-1.0.0-27.el6_4.2.i686.rpm
     openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-perl-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-static-1.0.0-27.el6_4.2.x86_64.rpm
   i386
     openssl-1.0.0-27.el6_4.2.i686.rpm
     openssl-debuginfo-1.0.0-27.el6_4.2.i686.rpm
     openssl-devel-1.0.0-27.el6_4.2.i686.rpm
     openssl-perl-1.0.0-27.el6_4.2.i686.rpm
     openssl-static-1.0.0-27.el6_4.2.i686.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2