Skip to navigation

Security Advisory Moderate: openssl security, bug fix, and enhancement update

Advisory: RHSA-2011:0677-1
Type: Security Advisory
Severity: Moderate
Issued on: 2011-05-19
Last updated on: 2011-05-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2011-0014

Details

Updated openssl packages that fix one security issue, two bugs, and add two
enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A buffer over-read flaw was discovered in the way OpenSSL parsed the
Certificate Status Request TLS extensions in ClientHello TLS handshake
messages. A remote attacker could possibly use this flaw to crash an SSL
server using the affected OpenSSL functionality. (CVE-2011-0014)

This update fixes the following bugs:

* The "openssl speed" command (which provides algorithm speed measurement)
failed when openssl was running in FIPS (Federal Information Processing
Standards) mode, even if testing of FIPS approved algorithms was requested.
FIPS mode disables ciphers and cryptographic hash algorithms that are not
approved by the NIST (National Institute of Standards and Technology)
standards. With this update, the "openssl speed" command no longer fails.
(BZ#619762)

* The "openssl pkcs12 -export" command failed to export a PKCS#12 file in
FIPS mode. The default algorithm for encrypting a certificate in the
PKCS#12 file was not FIPS approved and thus did not work. The command now
uses a FIPS approved algorithm by default in FIPS mode. (BZ#673453)

This update also adds the following enhancements:

* The "openssl s_server" command, which previously accepted connections
only over IPv4, now accepts connections over IPv6. (BZ#601612)

* For the purpose of allowing certain maintenance commands to be run (such
as "rsync"), an "OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW" environment variable
has been added. When a system is configured for FIPS mode and is in a
maintenance state, this newly added environment variable can be set to
allow software that requires the use of an MD5 cryptographic hash algorithm
to be run, even though the hash algorithm is not approved by the FIPS-140-2
standard. (BZ#673071)

Users of OpenSSL are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues and add these
enhancements. For the update to take effect, all services linked to the
OpenSSL library must be restarted, or the system rebooted.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
openssl-1.0.0-10.el6.src.rpm
File outdated by:  RHSA-2014:0376
    MD5: 77a9f0927994b3645416dda069180f2f
SHA-256: 10932038b228b6d39bef1051a13192b370057c58f00bfe9093191938b007c440
 
IA-32:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-perl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: 49bb799b239c71d729946e8ca73f065b
SHA-256: 3e56a45a115458c09dbf93d479ae006b5b49a09d8d5b0132d37ccb538c6cccfc
openssl-static-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: 0f2bcbb52d657c7ef0dd9674e81a69c6
SHA-256: 9ef246426a3ae90e02763440d869abe38526a5ac7c99f7dcf935b4bbabe26be5
 
x86_64:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 38fb192de9c633c7bc431f6d2790a2e4
SHA-256: 62fd4d6115598d57953939eee1bf789f5b5914cb20c65546d3e03159b2cb15db
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-debuginfo-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 617db435a8293356d5aaaef3bde2e84e
SHA-256: 17d016ccda6402c42a84df35498d92f0e89197519769f74c8be043c2c282c92e
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-devel-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 7b8f3df2f75c5b61c754a664128dbd0a
SHA-256: 5ef616e17292576920bbdb112b76f942b43151480b0db7335f7a70cca4359e53
openssl-perl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 1360adcf3a030d08b41b6f60bc33398e
SHA-256: fce9728bff5990b5cf2613b89732345abda3bfe7c614e2ab9fef35187bf9688f
openssl-static-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 894b85a056470dca344561872b698426
SHA-256: c929b6d06acaf10af4ef6a80991ec6376960c566a48d91faecf49f2752139411
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
openssl-1.0.0-10.el6.src.rpm
File outdated by:  RHSA-2014:0376
    MD5: 77a9f0927994b3645416dda069180f2f
SHA-256: 10932038b228b6d39bef1051a13192b370057c58f00bfe9093191938b007c440
 
x86_64:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 38fb192de9c633c7bc431f6d2790a2e4
SHA-256: 62fd4d6115598d57953939eee1bf789f5b5914cb20c65546d3e03159b2cb15db
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-debuginfo-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 617db435a8293356d5aaaef3bde2e84e
SHA-256: 17d016ccda6402c42a84df35498d92f0e89197519769f74c8be043c2c282c92e
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-devel-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 7b8f3df2f75c5b61c754a664128dbd0a
SHA-256: 5ef616e17292576920bbdb112b76f942b43151480b0db7335f7a70cca4359e53
openssl-perl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 1360adcf3a030d08b41b6f60bc33398e
SHA-256: fce9728bff5990b5cf2613b89732345abda3bfe7c614e2ab9fef35187bf9688f
openssl-static-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 894b85a056470dca344561872b698426
SHA-256: c929b6d06acaf10af4ef6a80991ec6376960c566a48d91faecf49f2752139411
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
openssl-1.0.0-10.el6.src.rpm
File outdated by:  RHSA-2014:0376
    MD5: 77a9f0927994b3645416dda069180f2f
SHA-256: 10932038b228b6d39bef1051a13192b370057c58f00bfe9093191938b007c440
 
IA-32:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-perl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: 49bb799b239c71d729946e8ca73f065b
SHA-256: 3e56a45a115458c09dbf93d479ae006b5b49a09d8d5b0132d37ccb538c6cccfc
openssl-static-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: 0f2bcbb52d657c7ef0dd9674e81a69c6
SHA-256: 9ef246426a3ae90e02763440d869abe38526a5ac7c99f7dcf935b4bbabe26be5
 
PPC:
openssl-1.0.0-10.el6.ppc.rpm
File outdated by:  RHSA-2014:0376
    MD5: 54a6825a417a1445c15ba77acf303398
SHA-256: b18cff0f10a42817d4d11908924c394e88c4492ab136ee1f289d24a7b01cec81
openssl-1.0.0-10.el6.ppc64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 4fbe4f197e092e2a0e3d34e6c8b6e23e
SHA-256: f44ecba624f051c45f3f55dfc1fbeaa1fb210cca630ab5fd791fac37e483cbf5
openssl-debuginfo-1.0.0-10.el6.ppc.rpm
File outdated by:  RHSA-2014:0376
    MD5: cafd8f964d5f7f57f435a050bf47c9b2
SHA-256: 6302a17b3ada19318f11b7b3cf57814c665f01db933943b3d5b71f57f25823a7
openssl-debuginfo-1.0.0-10.el6.ppc64.rpm
File outdated by:  RHSA-2014:0376
    MD5: a5c102198503c938ff8e35e04cf1350b
SHA-256: 163faf9e0890435bbd2c06cbdec2387420eecc97ccf6a56c745141f805619d61
openssl-devel-1.0.0-10.el6.ppc.rpm
File outdated by:  RHSA-2014:0376
    MD5: 1694d17ba122dcb63107dd1543b64a5a
SHA-256: fb498d7eff2ac861967cb7453e1c312b9985b709a2f42eea985e5ea27cebe372
openssl-devel-1.0.0-10.el6.ppc64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 81f0d3980b2c783d315cdd23e16f1c5e
SHA-256: 76a08bc1a18ef17ab6a05a5b7cdb0cadfe3afdfb324b59cb6a0ae0716ff9d1ab
openssl-perl-1.0.0-10.el6.ppc64.rpm
File outdated by:  RHSA-2014:0376
    MD5: c1b558095344610046e37f4fa2e9cc2e
SHA-256: e9f206d017a6df42e967e906dece308bbeff7f717fd4678cfc3dad4b7fbbd639
openssl-static-1.0.0-10.el6.ppc64.rpm
File outdated by:  RHSA-2014:0376
    MD5: e9b1ed05e5839b71e8b7ff32802a84d5
SHA-256: e1605c93ce310900ed95537fb5cd98d06d5cc094dad691a33dfcc3591df5ab71
 
s390x:
openssl-1.0.0-10.el6.s390.rpm
File outdated by:  RHSA-2014:0376
    MD5: 6362ecd1d485d81750fc91b2fa4b478a
SHA-256: e75c016622c81d65573e36f574f35c5d693afe6c5af1fc31ef617b8629b5baa3
openssl-1.0.0-10.el6.s390x.rpm
File outdated by:  RHSA-2014:0376
    MD5: eeeb92b4d39d9f7fb7c7dd7eefc7d7e2
SHA-256: 2d031eda4cd2f32e3f5ba66f42f1b917e07aba0bf51212cf8620003c619d0ce6
openssl-debuginfo-1.0.0-10.el6.s390.rpm
File outdated by:  RHSA-2014:0376
    MD5: b3c3f461c0fa047c531e7b1ba8aefaf8
SHA-256: fbbf6dbfca84b771564da139999493de61b7639ec77b01d69d69600d81d483a0
openssl-debuginfo-1.0.0-10.el6.s390x.rpm
File outdated by:  RHSA-2014:0376
    MD5: f95db2e2b7ab5171f7e9d38d2e27ad33
SHA-256: a1379d44c44257d05d0c2f884f234ec12a938a0c8d07dd37691e9ce598d5c0bf
openssl-devel-1.0.0-10.el6.s390.rpm
File outdated by:  RHSA-2014:0376
    MD5: c9565d51fbd3190345f2477e15bdd7db
SHA-256: bfb5c8b3116c76d8167170fdf3a0c9065e00b5a2741df9cc3f4323bb35525de9
openssl-devel-1.0.0-10.el6.s390x.rpm
File outdated by:  RHSA-2014:0376
    MD5: a00b80bd8ee5a49cf81a83aab0e15bea
SHA-256: b604f060d103884b1409dd4992eed4765e84cb5b84fd221414c5b1876f57b1ea
openssl-perl-1.0.0-10.el6.s390x.rpm
File outdated by:  RHSA-2014:0376
    MD5: a24a38c0421c5a30cb66d0c57f77a053
SHA-256: bdbfad438f402d9e0240b185f4284fda17ba53762acae364783a6757e4fc29a7
openssl-static-1.0.0-10.el6.s390x.rpm
File outdated by:  RHSA-2014:0376
    MD5: 9c9642d40628d3dc374472074b4849f3
SHA-256: c35738afde1ff5a44002a3762d80d3459991d811c0137e7b21d89fc39e3c7553
 
x86_64:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 38fb192de9c633c7bc431f6d2790a2e4
SHA-256: 62fd4d6115598d57953939eee1bf789f5b5914cb20c65546d3e03159b2cb15db
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-debuginfo-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 617db435a8293356d5aaaef3bde2e84e
SHA-256: 17d016ccda6402c42a84df35498d92f0e89197519769f74c8be043c2c282c92e
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-devel-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 7b8f3df2f75c5b61c754a664128dbd0a
SHA-256: 5ef616e17292576920bbdb112b76f942b43151480b0db7335f7a70cca4359e53
openssl-perl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 1360adcf3a030d08b41b6f60bc33398e
SHA-256: fce9728bff5990b5cf2613b89732345abda3bfe7c614e2ab9fef35187bf9688f
openssl-static-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 894b85a056470dca344561872b698426
SHA-256: c929b6d06acaf10af4ef6a80991ec6376960c566a48d91faecf49f2752139411
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
openssl-1.0.0-10.el6.src.rpm
File outdated by:  RHSA-2014:0376
    MD5: 77a9f0927994b3645416dda069180f2f
SHA-256: 10932038b228b6d39bef1051a13192b370057c58f00bfe9093191938b007c440
 
IA-32:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-perl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: 49bb799b239c71d729946e8ca73f065b
SHA-256: 3e56a45a115458c09dbf93d479ae006b5b49a09d8d5b0132d37ccb538c6cccfc
openssl-static-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: 0f2bcbb52d657c7ef0dd9674e81a69c6
SHA-256: 9ef246426a3ae90e02763440d869abe38526a5ac7c99f7dcf935b4bbabe26be5
 
x86_64:
openssl-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: b546438d8d0bc3f2ddf89c162d9ad759
SHA-256: f894732454cb8ac99354bf052840c6eb27eeab479685253d3c96344533a38846
openssl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 38fb192de9c633c7bc431f6d2790a2e4
SHA-256: 62fd4d6115598d57953939eee1bf789f5b5914cb20c65546d3e03159b2cb15db
openssl-debuginfo-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: ef405659b575871b2d1cfe104e482d1d
SHA-256: 7f577542ff05aeaa4dd2da760cfe2af120dfbeee8c558dc5e5a03187d6e5155a
openssl-debuginfo-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 617db435a8293356d5aaaef3bde2e84e
SHA-256: 17d016ccda6402c42a84df35498d92f0e89197519769f74c8be043c2c282c92e
openssl-devel-1.0.0-10.el6.i686.rpm
File outdated by:  RHSA-2014:0376
    MD5: cbc7572d5961668c97c4ef5a3983d28c
SHA-256: 042b9b0b58b0cdc973c0c5c72b56ceb659d133bd48bc2b7365ea9dabc5010225
openssl-devel-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 7b8f3df2f75c5b61c754a664128dbd0a
SHA-256: 5ef616e17292576920bbdb112b76f942b43151480b0db7335f7a70cca4359e53
openssl-perl-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 1360adcf3a030d08b41b6f60bc33398e
SHA-256: fce9728bff5990b5cf2613b89732345abda3bfe7c614e2ab9fef35187bf9688f
openssl-static-1.0.0-10.el6.x86_64.rpm
File outdated by:  RHSA-2014:0376
    MD5: 894b85a056470dca344561872b698426
SHA-256: c929b6d06acaf10af4ef6a80991ec6376960c566a48d91faecf49f2752139411
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

601612 - s_server doesn't listen for ipv6 connections
619762 - openssl speed cmd fails on FIPS enabled machine
676063 - CVE-2011-0014 openssl: OCSP stapling vulnerability


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/