Skip to navigation

Security Advisory Moderate: openssl security update

Advisory: RHSA-2010:0054-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-01-19
Last updated on: 2010-01-19
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
CVEs (cve.mitre.org): CVE-2009-2409
CVE-2009-4355

Details

Updated openssl packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

It was found that the OpenSSL library did not properly re-initialize its
internal state in the SSL_library_init() function after previous calls to
the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak
for each subsequent SSL connection. This flaw could cause server
applications that call those functions during reload, such as a combination
of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available
memory, resulting in a denial of service. (CVE-2009-4355)

Dan Kaminsky found that browsers could accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser.
OpenSSL now disables the use of the MD2 algorithm inside signatures by
default. (CVE-2009-2409)

All OpenSSL users should upgrade to these updated packages, which contain
backported patches to resolve these issues. For the update to take effect,
all services linked to the OpenSSL library must be restarted, or the system
rebooted.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
openssl-0.9.8e-12.el5_4.1.src.rpm
File outdated by:  RHSA-2013:0587		     MD5: 54f618d331d9db4830de64fb7ff5188f
 
IA-32:
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: 110d587796c45bd0f77b972864a84be3
 
x86_64:
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: 110d587796c45bd0f77b972864a84be3
openssl-devel-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 86c6e1973c10fff40bde888408616d8a
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
openssl-0.9.8e-12.el5_4.1.src.rpm
File outdated by:  RHSA-2013:0587		     MD5: 54f618d331d9db4830de64fb7ff5188f
 
IA-32:
openssl-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: a266640999c722052bae793bc639fbd3
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2013:0587		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: 110d587796c45bd0f77b972864a84be3
openssl-perl-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: f7f7162fb4886bc289f74ec37258f609
 
IA-64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2013:0587		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-0.9.8e-12.el5_4.1.ia64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 1a264d5390991df16daffe03caf38a3a
openssl-devel-0.9.8e-12.el5_4.1.ia64.rpm
File outdated by:  RHSA-2013:0587		     MD5: f34c1beab00db4e6d4a591fefc9a9e7b
openssl-perl-0.9.8e-12.el5_4.1.ia64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 55564de7f935e876b28546e705a529e0
 
PPC:
openssl-0.9.8e-12.el5_4.1.ppc.rpm
File outdated by:  RHSA-2013:0587		     MD5: b9238b1f440abc85bd3f630cd7e140da
openssl-0.9.8e-12.el5_4.1.ppc64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 929b5e2a294b738f0f15d6e20aa5de6a
openssl-devel-0.9.8e-12.el5_4.1.ppc.rpm
File outdated by:  RHSA-2013:0587		     MD5: aacb1cd6c7d04b885b8196be2fdc7810
openssl-devel-0.9.8e-12.el5_4.1.ppc64.rpm
File outdated by:  RHSA-2013:0587		     MD5: bb36b3dbb343c6731e754f56a90060c3
openssl-perl-0.9.8e-12.el5_4.1.ppc.rpm
File outdated by:  RHSA-2013:0587		     MD5: c71243322104616d9c52541008fecce4
 
s390x:
openssl-0.9.8e-12.el5_4.1.s390.rpm
File outdated by:  RHSA-2013:0587		     MD5: e7f06311d6303b3ee1196524217a8d3b
openssl-0.9.8e-12.el5_4.1.s390x.rpm
File outdated by:  RHSA-2013:0587		     MD5: 049f7c3cc541b226b63ea630d9074e44
openssl-devel-0.9.8e-12.el5_4.1.s390.rpm
File outdated by:  RHSA-2013:0587		     MD5: 581555b2f68fcf497f3e2f4e0e378ef4
openssl-devel-0.9.8e-12.el5_4.1.s390x.rpm
File outdated by:  RHSA-2013:0587		     MD5: f6552244395e8db174aa0b801be24ba9
openssl-perl-0.9.8e-12.el5_4.1.s390x.rpm
File outdated by:  RHSA-2013:0587		     MD5: c756d42140a25e082654a360e886d36d
 
x86_64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2013:0587		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 9e17482da236464a41e9edc3be3164e8
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: 110d587796c45bd0f77b972864a84be3
openssl-devel-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 86c6e1973c10fff40bde888408616d8a
openssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2013:0587		     MD5: da096290d56569ffb9f510d205e92d60
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
openssl-0.9.8e-12.el5_4.1.src.rpm
File outdated by:  RHSA-2013:0587		     MD5: 54f618d331d9db4830de64fb7ff5188f
 
IA-32:
openssl-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: a266640999c722052bae793bc639fbd3
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2013:0587		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-perl-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2013:0587		     MD5: f7f7162fb4886bc289f74ec37258f609
 
x86_64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2013:0587		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2013:0587		     MD5: 9e17482da236464a41e9edc3be3164e8
openssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2013:0587		     MD5: da096290d56569ffb9f510d205e92d60
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)
SRPMS:
openssl-0.9.8e-12.el5_4.1.src.rpm
File outdated by:  RHSA-2013:0587		     MD5: 54f618d331d9db4830de64fb7ff5188f
 
IA-32:
openssl-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2010:0162		     MD5: a266640999c722052bae793bc639fbd3
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2010:0162		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2010:0162		     MD5: 110d587796c45bd0f77b972864a84be3
openssl-perl-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2010:0162		     MD5: f7f7162fb4886bc289f74ec37258f609
 
IA-64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2010:0162		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-0.9.8e-12.el5_4.1.ia64.rpm
File outdated by:  RHSA-2010:0162		     MD5: 1a264d5390991df16daffe03caf38a3a
openssl-devel-0.9.8e-12.el5_4.1.ia64.rpm
File outdated by:  RHSA-2010:0162		     MD5: f34c1beab00db4e6d4a591fefc9a9e7b
openssl-perl-0.9.8e-12.el5_4.1.ia64.rpm
File outdated by:  RHSA-2010:0162		     MD5: 55564de7f935e876b28546e705a529e0
 
PPC:
openssl-0.9.8e-12.el5_4.1.ppc.rpm
File outdated by:  RHSA-2010:0162		     MD5: b9238b1f440abc85bd3f630cd7e140da
openssl-0.9.8e-12.el5_4.1.ppc64.rpm
File outdated by:  RHSA-2010:0162		     MD5: 929b5e2a294b738f0f15d6e20aa5de6a
openssl-devel-0.9.8e-12.el5_4.1.ppc.rpm
File outdated by:  RHSA-2010:0162		     MD5: aacb1cd6c7d04b885b8196be2fdc7810
openssl-devel-0.9.8e-12.el5_4.1.ppc64.rpm
File outdated by:  RHSA-2010:0162		     MD5: bb36b3dbb343c6731e754f56a90060c3
openssl-perl-0.9.8e-12.el5_4.1.ppc.rpm
File outdated by:  RHSA-2010:0162		     MD5: c71243322104616d9c52541008fecce4
 
s390x:
openssl-0.9.8e-12.el5_4.1.s390.rpm
File outdated by:  RHSA-2010:0162		     MD5: e7f06311d6303b3ee1196524217a8d3b
openssl-0.9.8e-12.el5_4.1.s390x.rpm
File outdated by:  RHSA-2010:0162		     MD5: 049f7c3cc541b226b63ea630d9074e44
openssl-devel-0.9.8e-12.el5_4.1.s390.rpm
File outdated by:  RHSA-2010:0162		     MD5: 581555b2f68fcf497f3e2f4e0e378ef4
openssl-devel-0.9.8e-12.el5_4.1.s390x.rpm
File outdated by:  RHSA-2010:0162		     MD5: f6552244395e8db174aa0b801be24ba9
openssl-perl-0.9.8e-12.el5_4.1.s390x.rpm
File outdated by:  RHSA-2010:0162		     MD5: c756d42140a25e082654a360e886d36d
 
x86_64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
File outdated by:  RHSA-2010:0162		     MD5: 99b601f62056b620eaf2159a42363bd7
openssl-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2010:0162		     MD5: 9e17482da236464a41e9edc3be3164e8
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
File outdated by:  RHSA-2010:0162		     MD5: 110d587796c45bd0f77b972864a84be3
openssl-devel-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2010:0162		     MD5: 86c6e1973c10fff40bde888408616d8a
openssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm
File outdated by:  RHSA-2010:0162		     MD5: da096290d56569ffb9f510d205e92d60
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
546707 - CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS)


References

https://www.redhat.com/security/data/cve/CVE-2009-2409.html
https://www.redhat.com/security/data/cve/CVE-2009-4355.html
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/