Skip to navigation

Security Advisory Moderate: openssl097a security update

Advisory: RHSA-2010:0164-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-25
Last updated on: 2010-03-25
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
CVEs (cve.mitre.org): CVE-2009-3555

Details

Updated openssl097a packages that fix a security issue are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update addresses this flaw by implementing the
TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about
this flaw: http://kbase.redhat.com/faq/docs/DOC-20491

All openssl097a users should upgrade to these updated packages, which
contain a backported patch to resolve this issue. For the update to take
effect, all services linked to the openssl097a library must be restarted,
or the system rebooted.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)
SRPMS:
openssl097a-0.9.7a-9.el5_4.2.src.rpm     MD5: e487baef5c522e3b532058b60b0adfa1
SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
 
IA-32:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
 
IA-64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.ia64.rpm     MD5: 3fe3b4893bdf639c1bb438865087a1c6
SHA-256: 9a36fcc277f26dd42daf2141ecc1a27cb9a52a1fa699557983321a8b7679ea7b
 
PPC:
openssl097a-0.9.7a-9.el5_4.2.ppc.rpm     MD5: a38cdb90262691f2c6d3b3ecbe98b31c
SHA-256: 7d13603f4d233e62604920e957eba3bdbb7d2d0dd095c4f39617ce5f0050b7f9
openssl097a-0.9.7a-9.el5_4.2.ppc64.rpm     MD5: 5deb72368d02adffe479a7265eaa638b
SHA-256: b646532637a72f6ed26286d74b2e349a81af1b4127733c94ee4a50cc3fd8251c
 
s390x:
openssl097a-0.9.7a-9.el5_4.2.s390.rpm     MD5: 4849d902b15641621e1bfae736f15302
SHA-256: bf5f104847cbbdb4fc8ec11eb3cfb5287d89ef599457637f6b15fce875225328
openssl097a-0.9.7a-9.el5_4.2.s390x.rpm     MD5: c74cf8f231ac8f310616f835a330f03f
SHA-256: 859aa30cb60ff1471f6165adbf7fbddc757f8ad5e6436ca0d4d07b31165fd766
 
x86_64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm     MD5: 49f596060e6ff5d8ce5e1b78fcfcb498
SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
openssl097a-0.9.7a-9.el5_4.2.src.rpm     MD5: e487baef5c522e3b532058b60b0adfa1
SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
 
IA-32:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
 
x86_64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm     MD5: 49f596060e6ff5d8ce5e1b78fcfcb498
SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)
SRPMS:
openssl097a-0.9.7a-9.el5_4.2.src.rpm     MD5: e487baef5c522e3b532058b60b0adfa1
SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
 
IA-32:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
 
IA-64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.ia64.rpm     MD5: 3fe3b4893bdf639c1bb438865087a1c6
SHA-256: 9a36fcc277f26dd42daf2141ecc1a27cb9a52a1fa699557983321a8b7679ea7b
 
PPC:
openssl097a-0.9.7a-9.el5_4.2.ppc.rpm     MD5: a38cdb90262691f2c6d3b3ecbe98b31c
SHA-256: 7d13603f4d233e62604920e957eba3bdbb7d2d0dd095c4f39617ce5f0050b7f9
openssl097a-0.9.7a-9.el5_4.2.ppc64.rpm     MD5: 5deb72368d02adffe479a7265eaa638b
SHA-256: b646532637a72f6ed26286d74b2e349a81af1b4127733c94ee4a50cc3fd8251c
 
s390x:
openssl097a-0.9.7a-9.el5_4.2.s390.rpm     MD5: 4849d902b15641621e1bfae736f15302
SHA-256: bf5f104847cbbdb4fc8ec11eb3cfb5287d89ef599457637f6b15fce875225328
openssl097a-0.9.7a-9.el5_4.2.s390x.rpm     MD5: c74cf8f231ac8f310616f835a330f03f
SHA-256: 859aa30cb60ff1471f6165adbf7fbddc757f8ad5e6436ca0d4d07b31165fd766
 
x86_64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm     MD5: e6562c43834469e471ce2299e26bb0e2
SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm     MD5: 49f596060e6ff5d8ce5e1b78fcfcb498
SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation


References

https://www.redhat.com/security/data/cve/CVE-2009-3555.html
http://www.redhat.com/security/updates/classification/#moderate
http://kbase.redhat.com/faq/docs/DOC-20491
http://kbase.redhat.com/faq/docs/DOC-26039

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/