Synopsis: Moderate: openssl security update Issue date: 2010-01-19 CVE Names: CVE-2009-2409 CVE-2009-4355 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS) It was found that the OpenSSL library did not properly re-initialize its internal state in the SSL_library_init() function after previous calls to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak for each subsequent SSL connection. This flaw could cause server applications that call those functions during reload, such as a combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available memory, resulting in a denial of service. (CVE-2009-4355) Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409) For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. SL 5.x SRPMS: openssl-0.9.8e-12.el5_4.1.src.rpm i386: openssl-0.9.8e-12.el5_4.1.i386.rpm openssl-0.9.8e-12.el5_4.1.i686.rpm openssl-devel-0.9.8e-12.el5_4.1.i386.rpm openssl-perl-0.9.8e-12.el5_4.1.i386.rpm x86_64: openssl-0.9.8e-12.el5_4.1.i686.rpm openssl-0.9.8e-12.el5_4.1.x86_64.rpm openssl-devel-0.9.8e-12.el5_4.1.i386.rpm openssl-devel-0.9.8e-12.el5_4.1.x86_64.rpm openssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm -Connie Sieh -Troy Dawson