Skip to navigation

Security Advisory Moderate: openssl security update

Advisory: RHSA-2010:0978-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-12-13
Last updated on: 2010-12-13
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2008-7270
CVE-2010-4180

Details

Updated openssl packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.
A remote attacker could possibly use this flaw to change the ciphersuite
associated with a cached session stored on the server, if the server
enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly
forcing the client to use a weaker ciphersuite after resuming the session.
(CVE-2010-4180, CVE-2008-7270)

Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
option has no effect and this bug workaround can no longer be enabled.

All OpenSSL users should upgrade to these updated packages, which contain a
backported patch to resolve these issues. For the update to take effect,
all services linked to the OpenSSL library must be restarted, or the system
rebooted.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
openssl-0.9.8e-12.el5_5.7.src.rpm
File outdated by:  RHEA-2014:0104
    MD5: 662cc04e0f3df569b0896766252bf36e
SHA-256: f14c0d5cbd957ca62f0def77511ba3724aec9851e746610a3c02f793f3396b56
 
IA-32:
openssl-devel-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1bd56127c67b635baeb2581e219c0d29
SHA-256: 63161798986f72966287a945caec2424f2559bf187dd6287a2ee43457d5679d5
 
x86_64:
openssl-devel-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1bd56127c67b635baeb2581e219c0d29
SHA-256: 63161798986f72966287a945caec2424f2559bf187dd6287a2ee43457d5679d5
openssl-devel-0.9.8e-12.el5_5.7.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: adf17d3d89be73b4f5b14e9029b7fef2
SHA-256: 5479e9fafa8fc17f1dd62a942977eb547f757b01d0cbb116a2e2b82368081551
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
openssl-0.9.8e-12.el5_5.7.src.rpm
File outdated by:  RHEA-2014:0104
    MD5: 662cc04e0f3df569b0896766252bf36e
SHA-256: f14c0d5cbd957ca62f0def77511ba3724aec9851e746610a3c02f793f3396b56
 
IA-32:
openssl-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 7af3f29c2d13ed37eba19f71ce43aafc
SHA-256: bb664e21cd5a6bb4f9b34a2dc533e04f9fc1b835020788d6be6969f6fc93a71b
openssl-0.9.8e-12.el5_5.7.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 5a71335472ef00f88ecb7858838a890b
SHA-256: def1ea8f1f2300d658d960d682c0ec7b790ecf5353058e8b6045bfe72e2a8ce9
openssl-devel-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1bd56127c67b635baeb2581e219c0d29
SHA-256: 63161798986f72966287a945caec2424f2559bf187dd6287a2ee43457d5679d5
openssl-perl-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: e6d1100938b0c81d18e8bdaceb7f4a9d
SHA-256: 74decbd2491182259c8050dfbf304d7363267d315b9565de6caf753200db5973
 
IA-64:
openssl-0.9.8e-12.el5_5.7.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 5a71335472ef00f88ecb7858838a890b
SHA-256: def1ea8f1f2300d658d960d682c0ec7b790ecf5353058e8b6045bfe72e2a8ce9
openssl-0.9.8e-12.el5_5.7.ia64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 30b83bce742225aeed4d77d98905d53a
SHA-256: 1d8fe85886fdcc7896832229d0fcce0d0a2c7398b11385ce8d33458a66f72aa1
openssl-devel-0.9.8e-12.el5_5.7.ia64.rpm
File outdated by:  RHEA-2014:0104
    MD5: e163fde4909327becf800f260401bdb1
SHA-256: 1615556b6c289cbe2d620dbccb1bf254192028b6d6eb9ae0334128a88c35995f
openssl-perl-0.9.8e-12.el5_5.7.ia64.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1db4e6ac086da1a6c00f1b5c96c10162
SHA-256: 7aeddd2f35b8a72f5b177fc80b636de97d771a56af5b024f8bf23aec7aa27d6d
 
PPC:
openssl-0.9.8e-12.el5_5.7.ppc.rpm
File outdated by:  RHEA-2014:0104
    MD5: 3fa186b7c44cfce7e454b60cf8661c0a
SHA-256: 7a3d5bcfb29cf229e93863478275d8532b3c5e5f5ad3d1fae025f991bf3b686b
openssl-0.9.8e-12.el5_5.7.ppc64.rpm
File outdated by:  RHEA-2014:0104
    MD5: cbf6cd3daa1e92e5b06d610ea9924eec
SHA-256: e11f1f0789f232190596d79329fa81ecbb868477030a8418c882643a374cd443
openssl-devel-0.9.8e-12.el5_5.7.ppc.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1f05e5a593479146de879a892fd14b6d
SHA-256: 0ca81626625d8dc978ed0357f18b166ec82109106bc52f9d8a2c3d19de36ce61
openssl-devel-0.9.8e-12.el5_5.7.ppc64.rpm
File outdated by:  RHEA-2014:0104
    MD5: e894bdc8908e8ff66f5540bb227d4042
SHA-256: 225a2ffb6eb944134c6caede9dbfd5646f45a09cab34aa11b1f9768053bbc8ca
openssl-perl-0.9.8e-12.el5_5.7.ppc.rpm
File outdated by:  RHEA-2014:0104
    MD5: a4a21064d8b960e78f2cf8e69a9d7e90
SHA-256: 313eb2724f59c343f95792e5811288058fc58e5992521ec4771e23c22e0972ac
 
s390x:
openssl-0.9.8e-12.el5_5.7.s390.rpm
File outdated by:  RHEA-2014:0104
    MD5: 088e0308f2792e30376fe31f803f40ac
SHA-256: 5b5021612708f1d5a1a81da7fa353af0ab4b75cf8ff05a212e2959fefa42f2b0
openssl-0.9.8e-12.el5_5.7.s390x.rpm
File outdated by:  RHEA-2014:0104
    MD5: f3e0e96e95ee480402a95a74b483acf9
SHA-256: 306aaf131cb8478ccb2ba4fab5f3c98f5c801e769a0b5d4dff47e6c39d2157f0
openssl-devel-0.9.8e-12.el5_5.7.s390.rpm
File outdated by:  RHEA-2014:0104
    MD5: 7a05a0654945e807fc295a170dc85133
SHA-256: 76729d7d36485c7c4c29c107c2d7fba77fb907e77afe5fe25a8df4067416c07e
openssl-devel-0.9.8e-12.el5_5.7.s390x.rpm
File outdated by:  RHEA-2014:0104
    MD5: 7baa9d73e3e9551d0d7b510efed8a4e8
SHA-256: fb80857946c6e69279424d799268f7cea9654af310ea025f26e5fdbee0f40146
openssl-perl-0.9.8e-12.el5_5.7.s390x.rpm
File outdated by:  RHEA-2014:0104
    MD5: fad2a43dc74c4773fc33bdf068274593
SHA-256: b5accd2a0732d69aff47f43d09cec37ba9250765075bead72191816458e4bfee
 
x86_64:
openssl-0.9.8e-12.el5_5.7.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 5a71335472ef00f88ecb7858838a890b
SHA-256: def1ea8f1f2300d658d960d682c0ec7b790ecf5353058e8b6045bfe72e2a8ce9
openssl-0.9.8e-12.el5_5.7.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: c1097f38d25d98d4a9b8f7b6021404e0
SHA-256: 268c3eeb27cc61cc61a30c8533006b9db07bc776d7809998ae649433a3c7b468
openssl-devel-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 1bd56127c67b635baeb2581e219c0d29
SHA-256: 63161798986f72966287a945caec2424f2559bf187dd6287a2ee43457d5679d5
openssl-devel-0.9.8e-12.el5_5.7.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: adf17d3d89be73b4f5b14e9029b7fef2
SHA-256: 5479e9fafa8fc17f1dd62a942977eb547f757b01d0cbb116a2e2b82368081551
openssl-perl-0.9.8e-12.el5_5.7.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: befe5ecf7a5406a92ab2b26eef3a73a2
SHA-256: aa758e46b31c4545a8084f2d101c5d86b3cf10eba78d5ccaa868e1ebaa0d96d5
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
openssl-0.9.8e-12.el5_5.7.src.rpm
File outdated by:  RHEA-2014:0104
    MD5: 662cc04e0f3df569b0896766252bf36e
SHA-256: f14c0d5cbd957ca62f0def77511ba3724aec9851e746610a3c02f793f3396b56
 
IA-32:
openssl-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: 7af3f29c2d13ed37eba19f71ce43aafc
SHA-256: bb664e21cd5a6bb4f9b34a2dc533e04f9fc1b835020788d6be6969f6fc93a71b
openssl-0.9.8e-12.el5_5.7.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 5a71335472ef00f88ecb7858838a890b
SHA-256: def1ea8f1f2300d658d960d682c0ec7b790ecf5353058e8b6045bfe72e2a8ce9
openssl-perl-0.9.8e-12.el5_5.7.i386.rpm
File outdated by:  RHEA-2014:0104
    MD5: e6d1100938b0c81d18e8bdaceb7f4a9d
SHA-256: 74decbd2491182259c8050dfbf304d7363267d315b9565de6caf753200db5973
 
x86_64:
openssl-0.9.8e-12.el5_5.7.i686.rpm
File outdated by:  RHEA-2014:0104
    MD5: 5a71335472ef00f88ecb7858838a890b
SHA-256: def1ea8f1f2300d658d960d682c0ec7b790ecf5353058e8b6045bfe72e2a8ce9
openssl-0.9.8e-12.el5_5.7.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: c1097f38d25d98d4a9b8f7b6021404e0
SHA-256: 268c3eeb27cc61cc61a30c8533006b9db07bc776d7809998ae649433a3c7b468
openssl-perl-0.9.8e-12.el5_5.7.x86_64.rpm
File outdated by:  RHEA-2014:0104
    MD5: befe5ecf7a5406a92ab2b26eef3a73a2
SHA-256: aa758e46b31c4545a8084f2d101c5d86b3cf10eba78d5ccaa868e1ebaa0d96d5
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack
660650 - CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/