Skip to navigation

Security Advisory openssl security update

Advisory: RHSA-2005:829-7
Type: Security Advisory
Severity: Important
Issued on: 2005-11-02
Last updated on: 2005-11-02
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2004-0079

Details

Updated OpenSSL packages that fix a remote denial of service vulnerability
are now available for Red Hat Enterprise Linux 2.1

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),
Transport Layer Security (TLS v1) protocols, and serves as a full-strength
general purpose cryptography library.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a null-pointer assignment in the do_change_cipher_spec()
function. A remote attacker could perform a carefully crafted SSL/TLS
handshake against a server that uses the OpenSSL library in such a way as
to cause OpenSSL to crash. Depending on the server this could lead to a
denial of service. (CVE-2004-0079)

This issue was reported as not affecting OpenSSL versions prior to 0.9.6c,
and testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as
shipped in Red Hat Enterprise Linux 2.1 did not crash. However, an
alternative reproducer has been written which shows that this issue does
affect versions of OpenSSL prior to 0.9.6c.

Users of OpenSSL are advised to upgrade to these updated packages, which
contain a patch provided by the OpenSSL group that protects against this issue.

NOTE: Because server applications are affected by this issue, users are
advised to either restart all services that use OpenSSL functionality or
restart their systems after installing these updates.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
openssl-0.9.6b-42.src.rpm
File outdated by:  RHSA-2009:0004
    MD5: 5d3842e1c8c96b582868b7e78df6e068
openssl095a-0.9.5a-28.src.rpm
File outdated by:  RHSA-2009:0004
    MD5: cdec5ba64c9530f5d96ea6a3e61520e9
 
IA-32:
openssl-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: dc940cb4df552742d6c7d3fd9c5c9f03
openssl-0.9.6b-42.i686.rpm
File outdated by:  RHSA-2009:0004
    MD5: 09831ac8bbf5d1bbe22c0ead3d13df6d
openssl-devel-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: 94bbc8a314bd892369ff750276c368ad
openssl-perl-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: 8270f82a34c0076248d1a5345c94f212
openssl095a-0.9.5a-28.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: f579bb9c0315c7e58050af57e69d0732
openssl096-0.9.6-28.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: a19dce85b7090aec5392b6661c46c359
 
IA-64:
openssl-0.9.6b-42.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 648efec54ef4c0b7882758aa42ff06c5
openssl-devel-0.9.6b-42.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 44a3f01e959b0d90ae4400164c5b1bbe
openssl-perl-0.9.6b-42.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 6bdbd18626254156036ce14a5b424343
openssl095a-0.9.5a-28.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 1e00b7e4fb4ac90f5459baabd638b635
openssl096-0.9.6-28.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 605647590985d7b470662007caf37e58
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
openssl-0.9.6b-42.src.rpm
File outdated by:  RHSA-2009:0004
    MD5: 5d3842e1c8c96b582868b7e78df6e068
 
IA-32:
openssl-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: dc940cb4df552742d6c7d3fd9c5c9f03
openssl-0.9.6b-42.i686.rpm
File outdated by:  RHSA-2009:0004
    MD5: 09831ac8bbf5d1bbe22c0ead3d13df6d
openssl-devel-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: 94bbc8a314bd892369ff750276c368ad
openssl-perl-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: 8270f82a34c0076248d1a5345c94f212
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
openssl-0.9.6b-42.src.rpm
File outdated by:  RHSA-2009:0004
    MD5: 5d3842e1c8c96b582868b7e78df6e068
 
IA-32:
openssl-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: dc940cb4df552742d6c7d3fd9c5c9f03
openssl-0.9.6b-42.i686.rpm
File outdated by:  RHSA-2009:0004
    MD5: 09831ac8bbf5d1bbe22c0ead3d13df6d
openssl-devel-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: 94bbc8a314bd892369ff750276c368ad
openssl-perl-0.9.6b-42.i386.rpm
File outdated by:  RHSA-2009:0004
    MD5: 8270f82a34c0076248d1a5345c94f212
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
openssl-0.9.6b-42.src.rpm
File outdated by:  RHSA-2009:0004
    MD5: 5d3842e1c8c96b582868b7e78df6e068
openssl095a-0.9.5a-28.src.rpm
File outdated by:  RHSA-2009:0004
    MD5: cdec5ba64c9530f5d96ea6a3e61520e9
 
IA-64:
openssl-0.9.6b-42.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 648efec54ef4c0b7882758aa42ff06c5
openssl-devel-0.9.6b-42.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 44a3f01e959b0d90ae4400164c5b1bbe
openssl-perl-0.9.6b-42.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 6bdbd18626254156036ce14a5b424343
openssl095a-0.9.5a-28.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 1e00b7e4fb4ac90f5459baabd638b635
openssl096-0.9.6-28.ia64.rpm
File outdated by:  RHSA-2009:0004
    MD5: 605647590985d7b470662007caf37e58
 

Bugs fixed (see bugzilla for more information)

172092 - CVE-2004-0079 OpenSSL remote DoS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/