Red Hat Customer Portal

Skip to main content

Security Advisory Moderate: openssl security update

Advisory: RHSA-2015:0800-1
Type: Security Advisory
Severity: Moderate
Issued on: 2015-04-13
Last updated on: 2015-04-13
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2014-8275
CVE-2015-0204
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0292
CVE-2015-0293
CVE-2016-0703
CVE-2016-0704

Details

Updated openssl packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

It was discovered that OpenSSL would accept ephemeral RSA keys when using
non-export RSA cipher suites. A malicious server could make a TLS/SSL
client using OpenSSL use a weaker key exchange method. (CVE-2015-0204)

An integer underflow flaw, leading to a buffer overflow, was found in the
way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to
make an application using OpenSSL decode a specially crafted Base64-encoded
input (such as a PEM file) could use this flaw to cause the application to
crash. Note: this flaw is not exploitable via the TLS/SSL protocol because
the data being transferred is not Base64-encoded. (CVE-2015-0292)

A denial of service flaw was found in the way OpenSSL handled SSLv2
handshake messages. A remote attacker could use this flaw to cause a
TLS/SSL server using OpenSSL to exit on a failed assertion if it had both
the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)

Multiple flaws were found in the way OpenSSL parsed X.509 certificates.
An attacker could use these flaws to modify an X.509 certificate to produce
a certificate with a different fingerprint without invalidating its
signature, and possibly bypass fingerprint-based blacklisting in
applications. (CVE-2014-8275)

An out-of-bounds write flaw was found in the way OpenSSL reused certain
ASN.1 structures. A remote attacker could possibly use a specially crafted
ASN.1 structure that, when parsed by an application, would cause that
application to crash. (CVE-2015-0287)

A NULL pointer dereference flaw was found in OpenSSL's X.509 certificate
handling implementation. A specially crafted X.509 certificate could cause
an application using OpenSSL to crash if the application attempted to
convert the certificate to a certificate request. (CVE-2015-0288)

A NULL pointer dereference was found in the way OpenSSL handled certain
PKCS#7 inputs. An attacker able to make an application using OpenSSL
verify, decrypt, or parse a specially crafted PKCS#7 input could cause that
application to crash. TLS/SSL clients and servers using OpenSSL were not
affected by this flaw. (CVE-2015-0289)

Red Hat would like to thank the OpenSSL project for reporting
CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and
CVE-2015-0293. Upstream acknowledges Emilia Käsper of the OpenSSL
development team as the original reporter of CVE-2015-0287, Brian Carpenter
as the original reporter of CVE-2015-0288, Michal Zalewski of Google as the
original reporter of CVE-2015-0289, Robert Dugal and David Ramos as the
original reporters of CVE-2015-0292, and Sean Burford of Google and Emilia
Käsper of the OpenSSL development team as the original reporters of
CVE-2015-0293.

All openssl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
openssl-0.9.8e-33.el5_11.src.rpm
File outdated by:  RHSA-2016:0302
    MD5: 0f42e9fa5fc3e873645028f5b1ec6017
SHA-256: f7e07a79ac081e8cb754583a5913aa37244448b30a838a9a468619b9892fb0a2
 
IA-32:
openssl-debuginfo-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9786cb7d1e44912eb684498237668d68
SHA-256: 9573fdfe753faa602627b4295ab958ca9fc4db1cf32290cd6d696be2c5eccc8e
openssl-devel-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 7392678e1f99aa770e483f11146364a7
SHA-256: eb04ec2319dfa9a40528ca7857c2340f7e04ee3d2cf2a7559ba4030b6b7c4837
 
x86_64:
openssl-debuginfo-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9786cb7d1e44912eb684498237668d68
SHA-256: 9573fdfe753faa602627b4295ab958ca9fc4db1cf32290cd6d696be2c5eccc8e
openssl-debuginfo-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9c464b37dd5d2a5028ac32b50118dc25
SHA-256: e942fd1fa3572a0e70240fb0694f3ff2d9ce0acdf983badfb7ab119246b8acca
openssl-devel-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 7392678e1f99aa770e483f11146364a7
SHA-256: eb04ec2319dfa9a40528ca7857c2340f7e04ee3d2cf2a7559ba4030b6b7c4837
openssl-devel-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 3c589cf9fedfa1485348d992972966f7
SHA-256: 59a7ac7bc40ebdcc0320e8754911fb92e77cdfdca02400bed49a9c78d4a2fb25
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
openssl-0.9.8e-33.el5_11.src.rpm
File outdated by:  RHSA-2016:0302
    MD5: 0f42e9fa5fc3e873645028f5b1ec6017
SHA-256: f7e07a79ac081e8cb754583a5913aa37244448b30a838a9a468619b9892fb0a2
 
IA-32:
openssl-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 3f5cb65733b7ad1cd87d44ef48931663
SHA-256: c7be64a00e38f15f4427efef551497492ccfc6cd448bb3c8b06c24661be654e8
openssl-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 1a29ae37e49162f5bf15963a221bd155
SHA-256: 4c2c79dadfdfd07030ae004c26bf5b440f7098d805bf37a45a2eb3338e609852
openssl-debuginfo-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9786cb7d1e44912eb684498237668d68
SHA-256: 9573fdfe753faa602627b4295ab958ca9fc4db1cf32290cd6d696be2c5eccc8e
openssl-debuginfo-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 6ddfac3d69a2b3aeadbfd1d420b24221
SHA-256: 928dd85d785980aac6d594a1395c0ca6968db05ff169510a5fb149d6f6ae679e
openssl-devel-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 7392678e1f99aa770e483f11146364a7
SHA-256: eb04ec2319dfa9a40528ca7857c2340f7e04ee3d2cf2a7559ba4030b6b7c4837
openssl-perl-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 38adafb095d82c7011fb45dcfe1cdcc8
SHA-256: e6e6efc3b3f3e3ceee08e6f6c4d89e40b3a62daaef5f948be1e99c77c95ede7e
 
IA-64:
openssl-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 1a29ae37e49162f5bf15963a221bd155
SHA-256: 4c2c79dadfdfd07030ae004c26bf5b440f7098d805bf37a45a2eb3338e609852
openssl-0.9.8e-33.el5_11.ia64.rpm
File outdated by:  RHSA-2016:0302
    MD5: bf1b456c4a6070945339206ed5298232
SHA-256: 8856699c9ba5cfe993379ec829298171ea8fd07b86f301f2a335cf3497931ab6
openssl-debuginfo-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 6ddfac3d69a2b3aeadbfd1d420b24221
SHA-256: 928dd85d785980aac6d594a1395c0ca6968db05ff169510a5fb149d6f6ae679e
openssl-debuginfo-0.9.8e-33.el5_11.ia64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 1105bd9ab88fc3d9f5728ee54359d8a9
SHA-256: 84092179d97ecd0c24c0a249c6e8db689c51affa7a5a231c17fa4c7759025a4d
openssl-devel-0.9.8e-33.el5_11.ia64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 7115ce15e713b941a5f75c2bc42d65ab
SHA-256: c8c89a8fd78bedbd2ae631120398c61c3dc48428342137fb1b8d22c789d14882
openssl-perl-0.9.8e-33.el5_11.ia64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 10f5c3849a290a609df4669da61ba99d
SHA-256: a51cc941d09fe598516285cc12d2051885dff8d4b66320479fa287311b9476b5
 
PPC:
openssl-0.9.8e-33.el5_11.ppc.rpm
File outdated by:  RHSA-2016:0302
    MD5: b3aa0b785cee1826801cb626ba028831
SHA-256: 8fbfe8a00cccd1837f75e85c11fb17f35f85a6b95533edfc8d762d4fd12dbcc2
openssl-0.9.8e-33.el5_11.ppc64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 03a1dc0952700553da9afb8c0a1060cf
SHA-256: 562b94995108e8745319bbebe6b823d87b1d806590a38dc137fb619c118761d5
openssl-debuginfo-0.9.8e-33.el5_11.ppc.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9a070f30be3db830f66f461435cb947d
SHA-256: f2f40a4dbe6217facf8bde09cca3597eaaf51cba7df8993371df2813ccba665f
openssl-debuginfo-0.9.8e-33.el5_11.ppc64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 37600fda53d30792d8a377912785adf4
SHA-256: 27d044c06936d4be184661e865d7a20119726b7ec0f837c9883e3be1edc1726d
openssl-devel-0.9.8e-33.el5_11.ppc.rpm
File outdated by:  RHSA-2016:0302
    MD5: 06d5351da18ef4fd116ff58de0964e1b
SHA-256: b278d8e676ce0f48243ab64f7e82216b3bd0feb4a11645ef2b05c6736de7ee2e
openssl-devel-0.9.8e-33.el5_11.ppc64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 8d069873a318c2333a8a9f5f9e67e922
SHA-256: b411873f2735b99419a76fd3491ad8b753fe0a92c6a6370dd09d8ade6ea27188
openssl-perl-0.9.8e-33.el5_11.ppc.rpm
File outdated by:  RHSA-2016:0302
    MD5: 67fee101add49f86e316341ae8a4b6c1
SHA-256: da839d7359f3030937e973346abace4890802f780a317d80e4b05fb0990285a7
 
s390x:
openssl-0.9.8e-33.el5_11.s390.rpm
File outdated by:  RHSA-2016:0302
    MD5: 497afbed6f32d2b65f317917c892a8db
SHA-256: 31605ed073e38a8d4f4e148713804298d25f010922905314a812cef58f8dce09
openssl-0.9.8e-33.el5_11.s390x.rpm
File outdated by:  RHSA-2016:0302
    MD5: 8f3da8344937e1a52fd85bab8a624579
SHA-256: 2cfaf96cb70e98069cf2fbec562e988a44e5875b81e1f83c99b4856b88003672
openssl-debuginfo-0.9.8e-33.el5_11.s390.rpm
File outdated by:  RHSA-2016:0302
    MD5: bffa954e3bfc2b019c355b74c951530e
SHA-256: fb3806d13d1aad68776bf703fc1a9752c886410ab4ae7f7d5da4e70d05d44bd5
openssl-debuginfo-0.9.8e-33.el5_11.s390x.rpm
File outdated by:  RHSA-2016:0302
    MD5: 5f0c6386563e2596aca9f631924932bf
SHA-256: f318699699d3ba8cad01d28315441e8f3211dee5421cc95a1c4d1921d386a1ff
openssl-devel-0.9.8e-33.el5_11.s390.rpm
File outdated by:  RHSA-2016:0302
    MD5: e6c661cf34076bb53c1b959cbd44b61d
SHA-256: d5d164a9eb465164cf7d007c21982cb332db563f58f65985acaeb9038199ed6b
openssl-devel-0.9.8e-33.el5_11.s390x.rpm
File outdated by:  RHSA-2016:0302
    MD5: 7e5a0c129f4d0a128946c9bc0ac4b68f
SHA-256: 7026a19c68c06652e93a0640bb5ae907245a89884d245b502c6cf9f1ad205838
openssl-perl-0.9.8e-33.el5_11.s390x.rpm
File outdated by:  RHSA-2016:0302
    MD5: ff6f0d832bdfd85e4257b694c667c259
SHA-256: 323b58b441c604be1be0c4df4ce78a90482a5515c4e230f42aedab2a76d60417
 
x86_64:
openssl-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 1a29ae37e49162f5bf15963a221bd155
SHA-256: 4c2c79dadfdfd07030ae004c26bf5b440f7098d805bf37a45a2eb3338e609852
openssl-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: a983743e7c8b9221f399604caa255aa0
SHA-256: 2ea41f7006e4fafbb47c580a6793ea9860ada553ff06e1b1aafaf52d1b1ff0ec
openssl-debuginfo-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9786cb7d1e44912eb684498237668d68
SHA-256: 9573fdfe753faa602627b4295ab958ca9fc4db1cf32290cd6d696be2c5eccc8e
openssl-debuginfo-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 6ddfac3d69a2b3aeadbfd1d420b24221
SHA-256: 928dd85d785980aac6d594a1395c0ca6968db05ff169510a5fb149d6f6ae679e
openssl-debuginfo-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9c464b37dd5d2a5028ac32b50118dc25
SHA-256: e942fd1fa3572a0e70240fb0694f3ff2d9ce0acdf983badfb7ab119246b8acca
openssl-devel-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 7392678e1f99aa770e483f11146364a7
SHA-256: eb04ec2319dfa9a40528ca7857c2340f7e04ee3d2cf2a7559ba4030b6b7c4837
openssl-devel-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 3c589cf9fedfa1485348d992972966f7
SHA-256: 59a7ac7bc40ebdcc0320e8754911fb92e77cdfdca02400bed49a9c78d4a2fb25
openssl-perl-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 0fc1d16c82224a2e3f063f79241271fe
SHA-256: e3f66d0fb8566248f1f020f5e9de42a6c5470bf81c934ba966d99b40422be5e9
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
openssl-0.9.8e-33.el5_11.src.rpm
File outdated by:  RHSA-2016:0302
    MD5: 0f42e9fa5fc3e873645028f5b1ec6017
SHA-256: f7e07a79ac081e8cb754583a5913aa37244448b30a838a9a468619b9892fb0a2
 
IA-32:
openssl-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 3f5cb65733b7ad1cd87d44ef48931663
SHA-256: c7be64a00e38f15f4427efef551497492ccfc6cd448bb3c8b06c24661be654e8
openssl-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 1a29ae37e49162f5bf15963a221bd155
SHA-256: 4c2c79dadfdfd07030ae004c26bf5b440f7098d805bf37a45a2eb3338e609852
openssl-debuginfo-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9786cb7d1e44912eb684498237668d68
SHA-256: 9573fdfe753faa602627b4295ab958ca9fc4db1cf32290cd6d696be2c5eccc8e
openssl-debuginfo-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 6ddfac3d69a2b3aeadbfd1d420b24221
SHA-256: 928dd85d785980aac6d594a1395c0ca6968db05ff169510a5fb149d6f6ae679e
openssl-perl-0.9.8e-33.el5_11.i386.rpm
File outdated by:  RHSA-2016:0302
    MD5: 38adafb095d82c7011fb45dcfe1cdcc8
SHA-256: e6e6efc3b3f3e3ceee08e6f6c4d89e40b3a62daaef5f948be1e99c77c95ede7e
 
x86_64:
openssl-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 1a29ae37e49162f5bf15963a221bd155
SHA-256: 4c2c79dadfdfd07030ae004c26bf5b440f7098d805bf37a45a2eb3338e609852
openssl-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: a983743e7c8b9221f399604caa255aa0
SHA-256: 2ea41f7006e4fafbb47c580a6793ea9860ada553ff06e1b1aafaf52d1b1ff0ec
openssl-debuginfo-0.9.8e-33.el5_11.i686.rpm
File outdated by:  RHSA-2016:0302
    MD5: 6ddfac3d69a2b3aeadbfd1d420b24221
SHA-256: 928dd85d785980aac6d594a1395c0ca6968db05ff169510a5fb149d6f6ae679e
openssl-debuginfo-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 9c464b37dd5d2a5028ac32b50118dc25
SHA-256: e942fd1fa3572a0e70240fb0694f3ff2d9ce0acdf983badfb7ab119246b8acca
openssl-perl-0.9.8e-33.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:0302
    MD5: 0fc1d16c82224a2e3f063f79241271fe
SHA-256: e3f66d0fb8566248f1f020f5e9de42a6c5470bf81c934ba966d99b40422be5e9
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1180184 - CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
1180187 - CVE-2014-8275 openssl: Fix various certificate fingerprint issues
1202380 - CVE-2015-0287 openssl: ASN.1 structure reuse memory corruption
1202384 - CVE-2015-0289 openssl: PKCS7 NULL pointer dereference
1202395 - CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding
1202404 - CVE-2015-0293 openssl: assertion failure in SSLv2 servers
1202418 - CVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/