Synopsis:          Moderate: openssl security update
Advisory ID:       SLSA-2014:1053-1
Issue Date:        2014-08-13
CVE Numbers:       CVE-2014-0221
                   CVE-2014-3508
                   CVE-2014-3505
                   CVE-2014-3506
                   CVE-2014-3510
--

It was discovered that the OBJ_obj2txt() function could fail to properly
NUL-terminate its output. This could possibly cause an application using
OpenSSL functions to format fields of X.509 certificates to disclose
portions of its memory. (CVE-2014-3508)

Multiple flaws were discovered in the way OpenSSL handled DTLS packets. A
remote attacker could use these flaws to cause a DTLS server or client
using OpenSSL to crash or use excessive amounts of memory. (CVE-2014-0221,
CVE-2014-3505, CVE-2014-3506)

A NULL pointer dereference flaw was found in the way OpenSSL performed a
handshake when using the anonymous Diffie-Hellman (DH) key exchange. A
malicious server could cause a DTLS client using OpenSSL to crash if that
client had anonymous DH cipher suites enabled. (CVE-2014-3510)

For the update to take effect, all services linked to the OpenSSL library
(such as httpd and other SSL-enabled services) must be restarted or the
system rebooted.
--

SL5
  x86_64
    openssl-0.9.8e-27.el5_10.4.i686.rpm
    openssl-0.9.8e-27.el5_10.4.x86_64.rpm
    openssl-debuginfo-0.9.8e-27.el5_10.4.i686.rpm
    openssl-debuginfo-0.9.8e-27.el5_10.4.x86_64.rpm
    openssl-perl-0.9.8e-27.el5_10.4.x86_64.rpm
    openssl-debuginfo-0.9.8e-27.el5_10.4.i386.rpm
    openssl-devel-0.9.8e-27.el5_10.4.i386.rpm
    openssl-devel-0.9.8e-27.el5_10.4.x86_64.rpm
  i386
    openssl-0.9.8e-27.el5_10.4.i386.rpm
    openssl-0.9.8e-27.el5_10.4.i686.rpm
    openssl-debuginfo-0.9.8e-27.el5_10.4.i386.rpm
    openssl-debuginfo-0.9.8e-27.el5_10.4.i686.rpm
    openssl-perl-0.9.8e-27.el5_10.4.i386.rpm
    openssl-devel-0.9.8e-27.el5_10.4.i386.rpm

- Scientific Linux Development Team