Security Advisory Important: openssl security update

Advisory: RHSA-2014:0377-1
Type: Security Advisory
Severity: Important
Issued on: 2014-04-08
Last updated on: 2014-04-08
Affected Products: Red Hat Storage Server 2.1
CVEs (cve.mitre.org): CVE-2014-0160

Details

Updated openssl packages that fix one security issue are now available for
Red Hat Storage 2.1.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

An information disclosure flaw was found in the way OpenSSL handled TLS and
DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
limited portion of memory per request from a connected client or server.
Note that the disclosed portions of memory could potentially include
sensitive information such as private keys. (CVE-2014-0160)

Red Hat would like to thank the OpenSSL project for reporting this issue.
Upstream acknowledges Neel Mehta of Google Security as the original
reporter.

All users of Red Hat Storage are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue. For the
update to take effect, all services linked to the OpenSSL library (such as
httpd and other SSL-enabled services) must be restarted or the system
rebooted.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Storage Server 2.1

SRPMS:
openssl-1.0.1e-16.el6_5.7.src.rpm
File outdated by:  RHSA-2015:0752
    MD5: bd8cd18d0d76eeca5d08781b5b6712b8
SHA-256: dd7f3bddba0a4d4084ec98ed71d50314c8644346924676dc9b10cd2de2bc90d1
 
x86_64:
openssl-1.0.1e-16.el6_5.7.x86_64.rpm
File outdated by:  RHSA-2015:0752
    MD5: 6fcf4efe58746a7b25a7654982b0e3d2
SHA-256: 10d813e9fcc55f47655791e269b40fecd45b8396230b1c03a0ed77d859a4b0d2
openssl-debuginfo-1.0.1e-16.el6_5.7.x86_64.rpm
File outdated by:  RHSA-2015:0752
    MD5: 7f8eb8ea7db416e34afeaa6e7d10380a
SHA-256: 1d3702a766e4c3b150eb7aa04772e61302e985ddc0d23d05c83b32347891637a
openssl-devel-1.0.1e-16.el6_5.7.x86_64.rpm
File outdated by:  RHSA-2015:0752
    MD5: b23db98a10a6e58ef4a829367496e9dc
SHA-256: 6f0e88747e196160a552998c94c13f0be0acd14122d0a8b992833e068b12e9ee
openssl-perl-1.0.1e-16.el6_5.7.x86_64.rpm
File outdated by:  RHSA-2015:0752
    MD5: 5c399d655138be5a4b5da773e3b1af6c
SHA-256: da22dff3394579ab544d772d37a3b57b89ee334d96c641409793560b5f17cafc
openssl-static-1.0.1e-16.el6_5.7.x86_64.rpm
File outdated by:  RHSA-2015:0752
    MD5: b8e2eb964b0b4f4d9fc6ea9676aba257
SHA-256: 82412749e48786c0f272ed83b391f6cf56410268e365ace556fedfcb0d04f8e1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1084875 - CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/