SCIENTIFIC-LINUX-ERRATA Archives

June 2015

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA moderate: Moderate: Openssl Security Update on SL6.x, SL7.x i386/srpm/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Mon, 15 Jun 2015 19:51:57 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (79 lines) 
Synopsis:          moderate: Moderate: Openssl Security Update security update

Advisory ID:       SLSA-2015:1115-1

Issue Date:        2015-06-15

CVE Numbers:       CVE-2014-8176

                   CVE-2015-1789

                   CVE-2015-1790

                   CVE-2015-1791

                   CVE-2015-1792

                   CVE-2015-3216

--



An invalid free flaw was found in the way OpenSSL handled certain DTLS

handshake messages. A malicious DTLS client or server could cause a DTLS

server or client using OpenSSL to crash or, potentially, execute arbitrary

code. (CVE-2014-8176)



A flaw was found in the way the OpenSSL packages shipped with Scientific

Linux 6 and 7 performed locking in the ssleay_rand_bytes() function. This

issue could possibly cause a multi-threaded application using OpenSSL to

perform an out-of-bounds read and crash. (CVE-2015-3216)



An out-of-bounds read flaw was found in the X509_cmp_time() function of

OpenSSL. A specially crafted X.509 certificate or a Certificate Revocation

List (CRL) could possibly cause a TLS/SSL server or client using OpenSSL

to crash. (CVE-2015-1789)



A race condition was found in the session handling code of OpenSSL. This

issue could possibly cause a multi-threaded TLS/SSL client using OpenSSL

to double free session ticket data and crash. (CVE-2015-1791)



A flaw was found in the way OpenSSL handled Cryptographic Message Syntax

(CMS) messages. A CMS message with an unknown hash function identifier

could cause an application using OpenSSL to enter an infinite loop.

(CVE-2015-1792)



A NULL pointer dereference was found in the way OpenSSL handled certain

PKCS#7 inputs. A specially crafted PKCS#7 input with missing

EncryptedContent data could cause an application using OpenSSL to crash.

(CVE-2015-1790)



For the update to take effect, all services linked to the OpenSSL library

must be restarted, or the system rebooted.

--



SL6

  x86_64

    openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm

    openssl-devel-1.0.1e-30.el6_6.11.x86_64.rpm

    openssl-1.0.1e-30.el6_6.11.i686.rpm

    openssl-1.0.1e-30.el6_6.11.x86_64.rpm

    openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm

    openssl-static-1.0.1e-30.el6_6.11.x86_64.rpm

    openssl-perl-1.0.1e-30.el6_6.11.x86_64.rpm

    openssl-devel-1.0.1e-30.el6_6.11.i686.rpm

  i386

    openssl-static-1.0.1e-30.el6_6.11.i686.rpm

    openssl-1.0.1e-30.el6_6.11.i686.rpm

    openssl-devel-1.0.1e-30.el6_6.11.i686.rpm

    openssl-perl-1.0.1e-30.el6_6.11.i686.rpm

    openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm

  srpm

    openssl-1.0.1e-30.el6_6.11.src.rpm

SL7

  x86_64

    openssl-static-1.0.1e-42.el7_1.8.i686.rpm

    openssl-libs-1.0.1e-42.el7_1.8.i686.rpm

    openssl-libs-1.0.1e-42.el7_1.8.x86_64.rpm

    openssl-static-1.0.1e-42.el7_1.8.x86_64.rpm

    openssl-perl-1.0.1e-42.el7_1.8.x86_64.rpm

    openssl-1.0.1e-42.el7_1.8.x86_64.rpm

    openssl-devel-1.0.1e-42.el7_1.8.x86_64.rpm

    openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm

    openssl-devel-1.0.1e-42.el7_1.8.i686.rpm

    openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm

  srpm

    openssl-1.0.1e-42.el7_1.8.src.rpm



- Scientific Linux Development Team

ATOM RSS1 RSS2