LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

October 2014

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA October 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: openssl on SL6.x, SL7.x i386/x86_64
From:	Bonnie King <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 16 Oct 2014 18:43:44 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (72 lines)

Synopsis:          Important: openssl security update
Advisory ID:       SLSA-2014:1652-1
Issue Date:        2014-10-16
CVE Numbers:       CVE-2014-3566
                   CVE-2014-3513
                   CVE-2014-3567
--

This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails.

This can prevent a forceful downgrade of the communication to SSL 3.0. The
SSL 3.0 protocol was found to be vulnerable to the padding oracle attack
when using block cipher suites in cipher block chaining (CBC) mode. This
issue is identified as CVE-2014-3566, and also known under the alias
POODLE. This SSL 3.0 protocol flaw will not be addressed in a future
update; it is recommended that users configure their applications to
require at least TLS protocol version 1.0 for secure communication.

For additional information about this flaw, see Upstream's Knowledgebase article
at https://access.redhat.com/articles/1232123

A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure
Real-time Transport Protocol (SRTP) extension data. A remote attacker
could send multiple specially crafted handshake messages to exhaust all
available memory of an SSL/TLS or DTLS server. (CVE-2014-3513)

A memory leak flaw was found in the way an OpenSSL handled failed session
ticket integrity checks. A remote attacker could exhaust all available
memory of an SSL/TLS or DTLS server by sending a large number of invalid
session tickets to that server. (CVE-2014-3567)

CVE-2014-3566 issue and correct the CVE-2014-3513 and CVE-2014-3567
issues. For the update to take effect, all services linked to the OpenSSL
library (such as httpd and other SSL-enabled services) must be restarted
or the system rebooted.
--

SL6
  x86_64
    openssl-1.0.1e-30.el6_6.2.i686.rpm
    openssl-1.0.1e-30.el6_6.2.x86_64.rpm
    openssl-debuginfo-1.0.1e-30.el6_6.2.i686.rpm
    openssl-debuginfo-1.0.1e-30.el6_6.2.x86_64.rpm
    openssl-devel-1.0.1e-30.el6_6.2.i686.rpm
    openssl-devel-1.0.1e-30.el6_6.2.x86_64.rpm
    openssl-perl-1.0.1e-30.el6_6.2.x86_64.rpm
    openssl-static-1.0.1e-30.el6_6.2.x86_64.rpm
  i386
    openssl-1.0.1e-30.el6_6.2.i686.rpm
    openssl-debuginfo-1.0.1e-30.el6_6.2.i686.rpm
    openssl-devel-1.0.1e-30.el6_6.2.i686.rpm
    openssl-perl-1.0.1e-30.el6_6.2.i686.rpm
    openssl-static-1.0.1e-30.el6_6.2.i686.rpm
SL7
  x86_64
    openssl-1.0.1e-34.el7_0.6.x86_64.rpm
    openssl-debuginfo-1.0.1e-34.el7_0.6.i686.rpm
    openssl-debuginfo-1.0.1e-34.el7_0.6.x86_64.rpm
    openssl-libs-1.0.1e-34.el7_0.6.i686.rpm
    openssl-libs-1.0.1e-34.el7_0.6.x86_64.rpm
    openssl-devel-1.0.1e-34.el7_0.6.i686.rpm
    openssl-devel-1.0.1e-34.el7_0.6.x86_64.rpm
    openssl-perl-1.0.1e-34.el7_0.6.x86_64.rpm
    openssl-static-1.0.1e-34.el7_0.6.i686.rpm
    openssl-static-1.0.1e-34.el7_0.6.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV