Security Advisory Updated openssl packages fix protocol parsing bugs

Advisory: RHSA-2002:160-21
Type: Security Advisory
Severity: N/A
Issued on: 2002-07-29
Last updated on: 2002-08-05
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-0659

Details

Updated OpenSSL packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2,
and 7.3. These updates fix multiple protocol parsing bugs which may be used
in a denial of service (DoS) attack or cause SSL-enabled applications to crash.

OpenSSL is a commercial-grade, full-featured, and open source toolkit which
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library.

Portions of the SSL protocol data stream, which include the lengths of
structures which are being transferred, may not be properly validated. This
may allow a malicious server or client to cause an affected application to
crash or enter an infinite loop, which can be used as a denial of service
(DoS) attack if the application is a server. It has not been verified if
this issue could lead to further consequences such as remote code execution.

These errata packages contain a patch to correct this vulnerability.
Please note that the original patch from the OpenSSL team had a mistake in
it which could possibly still allow buffer overflows to occur. This bug is
also fixed in these errata packages.

NOTE:

Please read the Solution section below as it contains instructions for
making sure that all SSL-enabled processes are restarted after the update
is applied.

Thanks go to the OpenSSL team for providing patches for this issue.


Solution

Because both client and server applications are affected by these
vulnerabilities, we advise users to reboot their systems after installing
these updates.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2

SRPMS:
openssl-0.9.5a-29.src.rpm
File outdated by:  RHSA-2003:101
    88d1df818d80fc96b3684a18265f37f6
 
Alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-0.9.5a-29.alpha.rpm
Missing file
    25a6501a6cd4e5b7986a2ebc9c691c65
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-devel-0.9.5a-29.alpha.rpm
Missing file
    58f6ef313c176a3ef98ad4f5f7bb371a
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-perl-0.9.5a-29.alpha.rpm
Missing file
    39930828fdeadfb54902548bbc891485
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-python-0.9.5a-29.alpha.rpm
Missing file
    52cb6e0558523d735ccfe172c1d6e8ab
 
IA-32:
openssl-0.9.5a-29.i386.rpm
File outdated by:  RHSA-2003:101
    e86b57e90b41a8e05db877a575fbe647
openssl-devel-0.9.5a-29.i386.rpm
File outdated by:  RHSA-2003:101
    beb66819c6669d2e2cca1dd67d85f7f7
openssl-perl-0.9.5a-29.i386.rpm
File outdated by:  RHSA-2003:101
    eea8316e88ef8bf272535cd483482e1e
openssl-python-0.9.5a-29.i386.rpm
File outdated by:  RHSA-2003:101
    6b9bc5ee282d3f6f1373478ad3184c5e
 
Sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-0.9.5a-29.sparc.rpm
Missing file
    e5537f71b2d492d27e8fab6b69a6cb16
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-devel-0.9.5a-29.sparc.rpm
Missing file
    992013eaafb8595b7d1f0cc0c89b0142
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-perl-0.9.5a-29.sparc.rpm
Missing file
    dcc9ea6007e2e59f007910fa5e8cd9b5
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-python-0.9.5a-29.sparc.rpm
Missing file
    e1fa913fc868da6b89150ddb0ce62138
 
Red Hat Linux 7.0

SRPMS:
openssl-0.9.6-13.src.rpm
File outdated by:  RHSA-2003:291
    ee11260a7760ddf55b4ec7755b00b3a7
openssl095a-0.9.5a-18.src.rpm
File outdated by:  RHSA-2003:291
    5ef4beb986cb64aaae2cfd5726a03659
 
Alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-0.9.6-13.alpha.rpm
Missing file
    aa89abcd401045500219b03d4903811b
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-devel-0.9.6-13.alpha.rpm
Missing file
    8477aeb72e53df02ce6a59d37de7cb02
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-perl-0.9.6-13.alpha.rpm
Missing file
    fff55b6d8a51b9c0b5d10dafcc7511e4
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-python-0.9.6-13.alpha.rpm
Missing file
    168813d3974d63869120464765e34dd8
ftp://updates.redhat.com/7.0/en/os/alpha/openssl095a-0.9.5a-18.alpha.rpm
Missing file
    92d8348414826ec4409e8d31e2513941
 
IA-32:
openssl-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:101
    f3f805e9698affd543c42a55cbdbaba7
openssl-devel-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:101
    f8d57d36b1dd4ef5bf0b89579ec229cd
openssl-perl-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:101
    e18c81476ad5db84dd3178639edbdd82
openssl-python-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:101
    7f20d329ca75dfce15c883d96ffbaf40
openssl095a-0.9.5a-18.i386.rpm
File outdated by:  RHSA-2003:101
    49b87abfb69a066756eed6441c226775
 
Red Hat Linux 7.1

SRPMS:
openssl-0.9.6-13.src.rpm
File outdated by:  RHSA-2003:291
    ee11260a7760ddf55b4ec7755b00b3a7
openssl095a-0.9.5a-18.src.rpm
File outdated by:  RHSA-2003:291
    5ef4beb986cb64aaae2cfd5726a03659
 
Alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-0.9.6-13.alpha.rpm
Missing file
    aa89abcd401045500219b03d4903811b
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-devel-0.9.6-13.alpha.rpm
Missing file
    8477aeb72e53df02ce6a59d37de7cb02
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-perl-0.9.6-13.alpha.rpm
Missing file
    fff55b6d8a51b9c0b5d10dafcc7511e4
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-python-0.9.6-13.alpha.rpm
Missing file
    168813d3974d63869120464765e34dd8
ftp://updates.redhat.com/7.1/en/os/alpha/openssl095a-0.9.5a-18.alpha.rpm
Missing file
    92d8348414826ec4409e8d31e2513941
 
IA-32:
openssl-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:291
    f3f805e9698affd543c42a55cbdbaba7
openssl-devel-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:291
    f8d57d36b1dd4ef5bf0b89579ec229cd
openssl-perl-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:291
    e18c81476ad5db84dd3178639edbdd82
openssl-python-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:291
    7f20d329ca75dfce15c883d96ffbaf40
openssl095a-0.9.5a-18.i386.rpm
File outdated by:  RHSA-2003:291
    49b87abfb69a066756eed6441c226775
 
IA-64:
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-0.9.6-13.ia64.rpm
Missing file
    279a924595d4fb05d9071174e57e61d5
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-devel-0.9.6-13.ia64.rpm
Missing file
    50a5b0b5b5c13eaa4e397a7983839e5c
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-perl-0.9.6-13.ia64.rpm
Missing file
    b115c9b4850610940584caf761fd9a86
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-python-0.9.6-13.ia64.rpm
Missing file
    79baeddf64b07b3bfecb1ae71fe110a1
ftp://updates.redhat.com/7.1/en/os/ia64/openssl095a-0.9.5a-18.ia64.rpm
Missing file
    f6615406c84745284f0e7e9b0d4d0d99
 
Red Hat Linux 7.2

SRPMS:
openssl-0.9.6b-28.src.rpm
File outdated by:  RHSA-2003:291
    a502539af00bf8fc4f184542dbe2a57f
openssl095a-0.9.5a-18.src.rpm
File outdated by:  RHSA-2003:291
    5ef4beb986cb64aaae2cfd5726a03659
openssl096-0.9.6-13.src.rpm
File outdated by:  RHSA-2003:291
    79423e3818cf2d6997f440d8878b5b5c
 
IA-32:
openssl-0.9.6b-28.i386.rpm
File outdated by:  RHSA-2003:291
    c0a52c85725b1ecff52d9c1372472360
openssl-0.9.6b-28.i686.rpm
File outdated by:  RHSA-2003:291
    aec758aeb92b8f6b49365374e7896877
openssl-devel-0.9.6b-28.i386.rpm
File outdated by:  RHSA-2003:291
    bdf9826263203f54685e81bb71815fd0
openssl-perl-0.9.6b-28.i386.rpm
File outdated by:  RHSA-2003:291
    98fd036fc344c1a058d7d62c0cdbdeef
openssl095a-0.9.5a-18.i386.rpm
File outdated by:  RHSA-2003:291
    49b87abfb69a066756eed6441c226775
openssl096-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:291
    f8852fa073d9e6462264c98c694339be
 
IA-64:
openssl-0.9.6b-28.ia64.rpm
File outdated by:  RHSA-2003:291
    c95cd939889b64b199fd477d950d1bad
openssl-devel-0.9.6b-28.ia64.rpm
File outdated by:  RHSA-2003:291
    ad2477c7f4b611c7c800eedd8856489a
openssl-perl-0.9.6b-28.ia64.rpm
File outdated by:  RHSA-2003:291
    8e4b14c78ed76602a0e377c7559b0747
openssl095a-0.9.5a-18.ia64.rpm
File outdated by:  RHSA-2003:291
    f6615406c84745284f0e7e9b0d4d0d99
openssl096-0.9.6-13.ia64.rpm
File outdated by:  RHSA-2003:291
    975e5824273ba98163fe9efe841053c5
 
Red Hat Linux 7.3

SRPMS:
openssl-0.9.6b-28.src.rpm
File outdated by:  RHSA-2003:291
    a502539af00bf8fc4f184542dbe2a57f
openssl095a-0.9.5a-18.src.rpm
File outdated by:  RHSA-2003:291
    5ef4beb986cb64aaae2cfd5726a03659
openssl096-0.9.6-13.src.rpm
File outdated by:  RHSA-2003:291
    79423e3818cf2d6997f440d8878b5b5c
 
IA-32:
openssl-0.9.6b-28.i386.rpm
File outdated by:  RHSA-2003:291
    c0a52c85725b1ecff52d9c1372472360
openssl-0.9.6b-28.i686.rpm
File outdated by:  RHSA-2003:291
    aec758aeb92b8f6b49365374e7896877
openssl-devel-0.9.6b-28.i386.rpm
File outdated by:  RHSA-2003:291
    bdf9826263203f54685e81bb71815fd0
openssl-perl-0.9.6b-28.i386.rpm
File outdated by:  RHSA-2003:291
    98fd036fc344c1a058d7d62c0cdbdeef
openssl095a-0.9.5a-18.i386.rpm
File outdated by:  RHSA-2003:291
    49b87abfb69a066756eed6441c226775
openssl096-0.9.6-13.i386.rpm
File outdated by:  RHSA-2003:291
    f8852fa073d9e6462264c98c694339be
 

References


Keywords

abstract, ASN.1, notation, OpenSSL, syntax


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/