Synopsis: Moderate: openssl security update Issue date: 2007-10-22 CVE Names: CVE-2007-3108 CVE-2007-5135 A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-5135). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches designed to mitigate these issues. (CVE-2007-3108). Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. SL 3.0.x SRPMS: openssl-0.9.7a-33.24.src.rpm i386: openssl-0.9.7a-33.24.i386.rpm openssl-0.9.7a-33.24.i686.rpm openssl-devel-0.9.7a-33.24.i386.rpm openssl-perl-0.9.7a-33.24.i386.rpm x86_64: openssl-0.9.7a-33.24.i686.rpm openssl-0.9.7a-33.24.x86_64.rpm openssl-devel-0.9.7a-33.24.x86_64.rpm openssl-perl-0.9.7a-33.24.x86_64.rpm -Connie Sieh -Troy Dawson