Skip to navigation

Bug Fix Advisory openssl bug fix and enhancement update

Advisory: RHBA-2011:1010-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-07-21
Last updated on: 2011-07-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

Updated openssl packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 5.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.

This update fixes the following bugs:

* Prior to this update, the "s_server" command refused to handle connections
from clients with an unresolvable IP address and terminated with this error
message: "getnameinfo failed". This problem has been fixed: the "s_server"
command now does not terminate even if the IP address of the client is not
resolvable. (BZ#561260)

* Prior to this update, the openssl packages were not fully compliant with the
TLS protocol. As a consequence, the system did not accept a connection from a
client indicating that it supports the TLS protocol version 4.1. With this
update, the server now accepts connections from such clients, which fixes the
problem. (BZ#599112)

* Prior to this update, repeatedly loading and unloading the CHIL engine by a
calling program caused the calling program to terminate unexpectedly due to a
function pointer not being cleared after the engine was unloaded. This bug has
been fixed, and the calling program does not crash anymore. (BZ#622003)

* Prior to this update, a check for a weak public key was missing while the
Diffie-Hellman key was computed. With this update, the DH_check_pub_key()
function call has been added to the DH_compute_key() function, which solves this
low impact problem. (BZ#698175)

* The CHIL Engine is used to access Thales or nCipher hardware devices. Prior to
this update, when attempting to load the CHIL engine into the openssl utility,
the CHIL engine required thread locking callbacks to be set regardless of
whether the calling program was multithreaded. With this update, this unexpected
requirement has been removed. (BZ#671484)

* Prior to this update, when running a multithreaded OpenSSL client application
that tried to connect to a server simultaneously with multiple threads, a TLS
protocol error could have occurred. This bug has been fixed in this update and
no longer occurs. (BZ#688901)

In addition, this update provides the following enhancements:

* Prior to this update, manual and help pages for various sub-commands of the
openssl utility did not specify all the digest algorithms. With this update, the
aforementioned pages have been modified, and users are now pointed to the
"openssl dgst -h" command that lists all the available digests. (BZ#608639)

* The StartCom Free SSL Certification Authority and VeriSign Class 3 Public
Primary Certification Authority - G5 certificates were added to the
/etc/pki/tls/certs/ca-bundle.crt file that contains the certificates of trusted
certification authorities. (BZ#675671, BZ#617856)

* The support for peer certificates that use the SHA-256 and SHA-512 hashing
algorithms is now enabled by default even if the application calls only the
SSL_library_init() function without the OpenSSL_add_all_algorithms() call.
(BZ#676384)

All users of OpenSSL should upgrade to these updated packages, which fix these
bugs and add these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
openssl-0.9.8e-20.el5.src.rpm
File outdated by:  RHEA-2014:0104
    MD5: 20043cee0697aad2d353e7a9d7a7de3c
SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7
 
IA-32:
openssl-devel-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: e83105ba68b845b1c6be0af57081fa76
SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b
 
x86_64:
openssl-devel-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: e83105ba68b845b1c6be0af57081fa76
SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b
openssl-devel-0.9.8e-20.el5.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 344ffcfb396241f0d0a23de80feaf76d
SHA-256: ab30ccc6ec67122a74123c73cdcfd96a4dec839804f5b2e091d7a529b3f7915f
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
openssl-0.9.8e-20.el5.src.rpm
File outdated by:  RHEA-2014:0104
    MD5: 20043cee0697aad2d353e7a9d7a7de3c
SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7
 
IA-32:
openssl-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 12c5399c12f70c1d2d62dadc8e8ca970
SHA-256: 76311967f16e42492255c4550dc02f012df9594700b16d5b3cd4194e9d2ef18d
openssl-0.9.8e-20.el5.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 49fbd96b358df3d3ed6317e1fc68555e
SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786
openssl-devel-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: e83105ba68b845b1c6be0af57081fa76
SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b
openssl-perl-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 61f5b0390f012b94909c89aa7069ba99
SHA-256: 348a9802335d26d8293e54f73ba8f4edd89270ce9e07afcb2ea8165e01f7e71c
 
IA-64:
openssl-0.9.8e-20.el5.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 49fbd96b358df3d3ed6317e1fc68555e
SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786
openssl-0.9.8e-20.el5.ia64.rpm
File outdated by:  RHEA-2014:0104
    MD5: a9bc22860da98d8d493884a18214e9b2
SHA-256: 06b7a99cf33579270e10a5ce584594c2a857cf639c9fd6d6807fc86311fc8848
openssl-devel-0.9.8e-20.el5.ia64.rpm
File outdated by:  RHEA-2014:0104
    MD5: c122befb5683cc2b8ac3572e6e72e5f2
SHA-256: e1f2b4e2d46b0b444f301ce367536012381722f8ad8652d5e21ea5980fff3108
openssl-perl-0.9.8e-20.el5.ia64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 0f03a3736aba24f6e7ccbe5cc23cd545
SHA-256: 2e036de0f3c0ac947d2de314a8640bcf2e05fb1471c9d166a4d5a23fde872ccc
 
PPC:
openssl-0.9.8e-20.el5.ppc.rpm
File outdated by:  RHEA-2014:0104
    MD5: a90c8fad7158e32a84cdf29d5d109f2d
SHA-256: d63f1e5b64e9c725a397b1c84cf048aa86975ccdbfc38c6dcbb1887d129e599b
openssl-0.9.8e-20.el5.ppc64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 94acd05bf3582cca3c0cf482aecfa45a
SHA-256: 5be573fc2122a61a2215376fa70ca4dfbed6727811cc67abfe022beed6e4d5f2
openssl-devel-0.9.8e-20.el5.ppc.rpm
File outdated by:  RHEA-2014:0104
    MD5: fe0cdd4e49e3c63d0dad9744311e8ee2
SHA-256: 71311565c7d958477a694d18dd8ff4a50a87b79297beabe4628a4e0a34878746
openssl-devel-0.9.8e-20.el5.ppc64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 26cf345150fa7ecf50fd0bd7172d58af
SHA-256: 900c1db539f585d5c6be5900cd12f9a8c764a15b337d91ed2b71f006633974af
openssl-perl-0.9.8e-20.el5.ppc.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1f242a77271d53311da7537dd109e7cb
SHA-256: a22450a7b5aa8a651c04dd91dfa5eb0f03f7a7a88e3e115b55999f8c03d03b8e
 
s390x:
openssl-0.9.8e-20.el5.s390.rpm
File outdated by:  RHEA-2014:0104
    MD5: d486b8965aaf762fdc2557acb924f113
SHA-256: 51d1a52d7eeac571f95ff1acccf0357669b4c08690a0350f8a6475f708c780e4
openssl-0.9.8e-20.el5.s390x.rpm
File outdated by:  RHEA-2014:0104
    MD5: 44003dda0befb69175d393fc465d8171
SHA-256: a574916394431aab0b431f9bbdd83a8c9b47dfe387a4617141732d744880eb72
openssl-devel-0.9.8e-20.el5.s390.rpm
File outdated by:  RHEA-2014:0104
    MD5: 9b86b49261c49d5275a7af40e24ef0db
SHA-256: 562dd02354db4b9d1f09899c4907860d4f5b7f42e8f3708da406009505043eb7
openssl-devel-0.9.8e-20.el5.s390x.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1fb6197dbe566ef9a3e35e35e37af9f3
SHA-256: 8b53b3308eae4c85cad37b080cf9ba42cde5c493c6177a06b28480a6c74ba97e
openssl-perl-0.9.8e-20.el5.s390x.rpm
File outdated by:  RHEA-2014:0104
    MD5: 14cf0b6756963f845825dd6c8f73e545
SHA-256: 51c25f8200349fa72926544df5618db2c4fcef4940cf65b3d425f2f934108d2d
 
x86_64:
openssl-0.9.8e-20.el5.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 49fbd96b358df3d3ed6317e1fc68555e
SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786
openssl-0.9.8e-20.el5.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: c7a99f526e6b98d14f549eef2e5e4849
SHA-256: 6f9c4ce37e97928c83a66e1a6709c35eee0acacd7cd0e0e1e64b76de421da172
openssl-devel-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: e83105ba68b845b1c6be0af57081fa76
SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b
openssl-devel-0.9.8e-20.el5.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 344ffcfb396241f0d0a23de80feaf76d
SHA-256: ab30ccc6ec67122a74123c73cdcfd96a4dec839804f5b2e091d7a529b3f7915f
openssl-perl-0.9.8e-20.el5.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 9d99848af242342cfc620356ea78af0b
SHA-256: 8c172fa63e17e4ba2c7de6fc914057264f38fcce6804ed2d9847db13d32c96ee
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
openssl-0.9.8e-20.el5.src.rpm
File outdated by:  RHEA-2014:0104
    MD5: 20043cee0697aad2d353e7a9d7a7de3c
SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7
 
IA-32:
openssl-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 12c5399c12f70c1d2d62dadc8e8ca970
SHA-256: 76311967f16e42492255c4550dc02f012df9594700b16d5b3cd4194e9d2ef18d
openssl-0.9.8e-20.el5.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 49fbd96b358df3d3ed6317e1fc68555e
SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786
openssl-perl-0.9.8e-20.el5.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 61f5b0390f012b94909c89aa7069ba99
SHA-256: 348a9802335d26d8293e54f73ba8f4edd89270ce9e07afcb2ea8165e01f7e71c
 
x86_64:
openssl-0.9.8e-20.el5.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 49fbd96b358df3d3ed6317e1fc68555e
SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786
openssl-0.9.8e-20.el5.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: c7a99f526e6b98d14f549eef2e5e4849
SHA-256: 6f9c4ce37e97928c83a66e1a6709c35eee0acacd7cd0e0e1e64b76de421da172
openssl-perl-0.9.8e-20.el5.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 9d99848af242342cfc620356ea78af0b
SHA-256: 8c172fa63e17e4ba2c7de6fc914057264f38fcce6804ed2d9847db13d32c96ee
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

561260 - s_server quits when receiving a connection from an unresolvable IP
599112 - openssl-0.9.8e-12.el5_4.6 is TLS non-compliant (version intolerance)
608639 - man pages and help text do not list all digests
622003 - Calling program crashes when loading OpenSSL CHIL Engine twice
671484 - Backport OpenSSL RT #1736, CHIL Engine thread lock upcall management
675671 - Root CA cert bundle is missing "VeriSign Class 3 Public Primary Certification Authority - G5" cert
676384 - OpenSSL / PAM & NSS_LDAP / SUDO fail TLS_CHECKPEER with Cipher AES256-SHA
688901 - occasional 502 errors on httpd load balancer
698175 - Add call to DH_check_pub_key() in DH_compute_key() by Diffie-Hellman key exchange


Keywords

bundle, CA, CHIL, crash, DH, locking, resolver, SHA, thread, TLS, version


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/