Security Advisory Important: openssl security update

Advisory: RHSA-2016:1137-1
Type: Security Advisory
Severity: Important
Issued on: 2016-05-31
Last updated on: 2016-05-31
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2016-2108

Details

An update for openssl is now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.

Security Fix(es):

* A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An
attacker could use this flaw to create a specially crafted certificate which,
when verified or re-encoded by OpenSSL, could cause it to crash, or execute
arbitrary code using the permissions of the user running an application compiled
against the OpenSSL library. (CVE-2016-2108)

Red Hat would like to thank the OpenSSL project for reporting this issue.
Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David
Benjamin (Google) as the original reporters.


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must
be restarted, or the system rebooted.

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
openssl-0.9.8e-40.el5_11.src.rpm     MD5: e23220f4c2544cc14bfdca3b015745f5
SHA-256: fb946de35627c788afdc3b58e0e8f41508b774444097ecdc0fbffaede05d18c4
 
IA-32:
openssl-debuginfo-0.9.8e-40.el5_11.i386.rpm     MD5: 8b33e558036fa9c51c0dac0875b51d21
SHA-256: 3671ff7a77d7704ea638fcc75b92732ac3fa2fe653c7f9c5984bb58a8e3cad39
openssl-devel-0.9.8e-40.el5_11.i386.rpm     MD5: 5c9b7d70a517bf13a3c938480f662da8
SHA-256: 5c1c3e4c2276202fdd63ba2a226c1551c49686594cc43c4b0a390b675f28103c
 
x86_64:
openssl-debuginfo-0.9.8e-40.el5_11.i386.rpm     MD5: 8b33e558036fa9c51c0dac0875b51d21
SHA-256: 3671ff7a77d7704ea638fcc75b92732ac3fa2fe653c7f9c5984bb58a8e3cad39
openssl-debuginfo-0.9.8e-40.el5_11.x86_64.rpm     MD5: 556d0a392be20cbaa9a6366075968dfc
SHA-256: a51d88aac389b927cbec39059884b9350f190fd0b7859f4f6bf77446e842a273
openssl-devel-0.9.8e-40.el5_11.i386.rpm     MD5: 5c9b7d70a517bf13a3c938480f662da8
SHA-256: 5c1c3e4c2276202fdd63ba2a226c1551c49686594cc43c4b0a390b675f28103c
openssl-devel-0.9.8e-40.el5_11.x86_64.rpm     MD5: 1981fec798692c2f4ff57831ad4a07c4
SHA-256: fcd13a11a9c6c1a89d8885a918f008a1bd43631a8599d0410e7f24af747e4c23
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
openssl-0.9.8e-40.el5_11.src.rpm     MD5: e23220f4c2544cc14bfdca3b015745f5
SHA-256: fb946de35627c788afdc3b58e0e8f41508b774444097ecdc0fbffaede05d18c4
 
IA-32:
openssl-0.9.8e-40.el5_11.i386.rpm     MD5: 3dd89c08c98502dbfcf116e6d063939f
SHA-256: 520005924c7b6a266b0ff246edae032c274334c9f6556e881452943fc4d94f69
openssl-0.9.8e-40.el5_11.i686.rpm     MD5: 8195fa7fc751f6922163f13a5c208a10
SHA-256: 83969318bbe56c2fe1adcf6c53e9da9d0a059295cf5b78d4a1c5e3e64f9fcd2a
openssl-debuginfo-0.9.8e-40.el5_11.i386.rpm     MD5: 8b33e558036fa9c51c0dac0875b51d21
SHA-256: 3671ff7a77d7704ea638fcc75b92732ac3fa2fe653c7f9c5984bb58a8e3cad39
openssl-debuginfo-0.9.8e-40.el5_11.i686.rpm     MD5: 2f12f12451e35a46089be6bedd5b39cf
SHA-256: acfbe297842e5d08229dd5f7b45bc68cca47332e9317f8e7e1f76893295527df
openssl-devel-0.9.8e-40.el5_11.i386.rpm     MD5: 5c9b7d70a517bf13a3c938480f662da8
SHA-256: 5c1c3e4c2276202fdd63ba2a226c1551c49686594cc43c4b0a390b675f28103c
openssl-perl-0.9.8e-40.el5_11.i386.rpm     MD5: 82f75b2d4d8bd6ebbe6fd71b7704b58b
SHA-256: d3fd3ece75d8c33a0233731e81cc43aaa090f99cb85331b1e4dbbdc46a5709b2
 
IA-64:
openssl-0.9.8e-40.el5_11.i686.rpm     MD5: 8195fa7fc751f6922163f13a5c208a10
SHA-256: 83969318bbe56c2fe1adcf6c53e9da9d0a059295cf5b78d4a1c5e3e64f9fcd2a
openssl-0.9.8e-40.el5_11.ia64.rpm     MD5: 7818fc02791aec957519103ccb0880fb
SHA-256: 06e64194533746a1c9d0c5649dd16574acba9e8c512292c5d866cac9fb633053
openssl-debuginfo-0.9.8e-40.el5_11.i686.rpm     MD5: 2f12f12451e35a46089be6bedd5b39cf
SHA-256: acfbe297842e5d08229dd5f7b45bc68cca47332e9317f8e7e1f76893295527df
openssl-debuginfo-0.9.8e-40.el5_11.ia64.rpm     MD5: 03fbe5fbe8f51763c8e8c9e9d31ec156
SHA-256: 1a065095a140fedfd12674c9b98591534e7480d815bf5a200a9548b4cbd58502
openssl-devel-0.9.8e-40.el5_11.ia64.rpm     MD5: 0eb8207b41ba8f96f7d5d175595cb6d8
SHA-256: f22ba9b29412abf653817032e3247107d45f21c73146f95d2a14af5b658df280
openssl-perl-0.9.8e-40.el5_11.ia64.rpm     MD5: 7b90a65ea85e6160ab2a154c5706cdc7
SHA-256: a3b330ce20c53def2fe5f0da59b5e3df4beccdc6b988e87bdc777d9ca4d21ccb
 
PPC:
openssl-0.9.8e-40.el5_11.ppc.rpm     MD5: 15f39528bdfcec9d63031f585c3b5818
SHA-256: 6abde53d21380e0bcc12a0a49452e4c8d26b35bb176b46a3475641033a94cbba
openssl-0.9.8e-40.el5_11.ppc64.rpm     MD5: 18ac3a715a413384e18d98333bee1f51
SHA-256: fd18db27c3e87e5faa759e2410fbc009c0199544c5829af98c5163d50276364c
openssl-debuginfo-0.9.8e-40.el5_11.ppc.rpm     MD5: 467b44a6c8196263a515a41b3588f4d4
SHA-256: aa76882d36633dfffb6ef4f14174e9698ee40fabdd823b3e891868578226c936
openssl-debuginfo-0.9.8e-40.el5_11.ppc64.rpm     MD5: 73d04cf8ea190f9bb4cac01001e17d2a
SHA-256: 2a40c81ba3cadb1040db08a2005f54369c761171fcf3e45012db7dfc672723c5
openssl-devel-0.9.8e-40.el5_11.ppc.rpm     MD5: 7b91dca13b71b632252be1dc35197bb6
SHA-256: e592447d0b6b5aea215168dad333c94313bd53c38aff65f4ebd37ad1e0b6e67d
openssl-devel-0.9.8e-40.el5_11.ppc64.rpm     MD5: 62ac6d9336fe681d2683e9740b184537
SHA-256: c5506044e9a289b72e3e3876ca411a759320dc1bc61b6ac0b83c6186aad176ee
openssl-perl-0.9.8e-40.el5_11.ppc.rpm     MD5: c1b0af7ff45335dbe48d174c79ebda51
SHA-256: d729a4c2233be27377bb84b107a4de1b5bcbb45b9b302465b55c7f979c79730a
 
s390x:
openssl-0.9.8e-40.el5_11.s390.rpm     MD5: 6b49ba5bfcb3766201736ac45bfb63ca
SHA-256: 2b5a3975d53590bc666bc2a9ee873ba7a2de19abc73c6b75d43fcb37d99fa1ed
openssl-0.9.8e-40.el5_11.s390x.rpm     MD5: 60656cbf2c6f886188da2f25c2b3bbdb
SHA-256: 639cd1613bbb0b55edbda58cfffa65e8b9360d418ff017d767484bc979e0b16a
openssl-debuginfo-0.9.8e-40.el5_11.s390.rpm     MD5: 89ec399161b511418a5dcb7ef9da9642
SHA-256: 81367fdbb02f18bf3e06d433ebc392ead3689f7ab3788729bc4bb60c9cefdb05
openssl-debuginfo-0.9.8e-40.el5_11.s390x.rpm     MD5: cd67a7c4ab5e415a73d52c75bdbfee9c
SHA-256: 0330c17b0a139f89e319886a6ca361e9a62a84cc1bf963730574d9a72d3aff96
openssl-devel-0.9.8e-40.el5_11.s390.rpm     MD5: 40e370e48def757808f42c76ec7dec6c
SHA-256: e98d30627dedac33c2a4f18ade472ecaeda5f9013bb234ad1ddc7de7355acc05
openssl-devel-0.9.8e-40.el5_11.s390x.rpm     MD5: 33a9aac41d790b7617b9dec1eea6a772
SHA-256: 6985b77991eca8472e8ffb9b430fc1e33b5c07dc1ee8d0eaaeadbaf93598a555
openssl-perl-0.9.8e-40.el5_11.s390x.rpm     MD5: b274b8413aef169856c74243b9bb54dc
SHA-256: 8b4b88501a1b3114d536ec34867ff908644fe06ed6a568b36d46bfd66d097643
 
x86_64:
openssl-0.9.8e-40.el5_11.i686.rpm     MD5: 8195fa7fc751f6922163f13a5c208a10
SHA-256: 83969318bbe56c2fe1adcf6c53e9da9d0a059295cf5b78d4a1c5e3e64f9fcd2a
openssl-0.9.8e-40.el5_11.x86_64.rpm     MD5: 28c0bd7746f79fa7f0d90f285743e3f8
SHA-256: 09d4a4241a4754a7b565da41460e82e816cc2f5c1a960cf99071552d054cfe87
openssl-debuginfo-0.9.8e-40.el5_11.i386.rpm     MD5: 8b33e558036fa9c51c0dac0875b51d21
SHA-256: 3671ff7a77d7704ea638fcc75b92732ac3fa2fe653c7f9c5984bb58a8e3cad39
openssl-debuginfo-0.9.8e-40.el5_11.i686.rpm     MD5: 2f12f12451e35a46089be6bedd5b39cf
SHA-256: acfbe297842e5d08229dd5f7b45bc68cca47332e9317f8e7e1f76893295527df
openssl-debuginfo-0.9.8e-40.el5_11.x86_64.rpm     MD5: 556d0a392be20cbaa9a6366075968dfc
SHA-256: a51d88aac389b927cbec39059884b9350f190fd0b7859f4f6bf77446e842a273
openssl-devel-0.9.8e-40.el5_11.i386.rpm     MD5: 5c9b7d70a517bf13a3c938480f662da8
SHA-256: 5c1c3e4c2276202fdd63ba2a226c1551c49686594cc43c4b0a390b675f28103c
openssl-devel-0.9.8e-40.el5_11.x86_64.rpm     MD5: 1981fec798692c2f4ff57831ad4a07c4
SHA-256: fcd13a11a9c6c1a89d8885a918f008a1bd43631a8599d0410e7f24af747e4c23
openssl-perl-0.9.8e-40.el5_11.x86_64.rpm     MD5: c67d817631af8c6f10a4a60b73fdaec8
SHA-256: 3d2769e614a59cfc9cdc241d95b2733df4fbfa76637a97ff4453d7d9e35f5308
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
openssl-0.9.8e-40.el5_11.src.rpm     MD5: e23220f4c2544cc14bfdca3b015745f5
SHA-256: fb946de35627c788afdc3b58e0e8f41508b774444097ecdc0fbffaede05d18c4
 
IA-32:
openssl-0.9.8e-40.el5_11.i386.rpm     MD5: 3dd89c08c98502dbfcf116e6d063939f
SHA-256: 520005924c7b6a266b0ff246edae032c274334c9f6556e881452943fc4d94f69
openssl-0.9.8e-40.el5_11.i686.rpm     MD5: 8195fa7fc751f6922163f13a5c208a10
SHA-256: 83969318bbe56c2fe1adcf6c53e9da9d0a059295cf5b78d4a1c5e3e64f9fcd2a
openssl-debuginfo-0.9.8e-40.el5_11.i386.rpm     MD5: 8b33e558036fa9c51c0dac0875b51d21
SHA-256: 3671ff7a77d7704ea638fcc75b92732ac3fa2fe653c7f9c5984bb58a8e3cad39
openssl-debuginfo-0.9.8e-40.el5_11.i686.rpm     MD5: 2f12f12451e35a46089be6bedd5b39cf
SHA-256: acfbe297842e5d08229dd5f7b45bc68cca47332e9317f8e7e1f76893295527df
openssl-perl-0.9.8e-40.el5_11.i386.rpm     MD5: 82f75b2d4d8bd6ebbe6fd71b7704b58b
SHA-256: d3fd3ece75d8c33a0233731e81cc43aaa090f99cb85331b1e4dbbdc46a5709b2
 
x86_64:
openssl-0.9.8e-40.el5_11.i686.rpm     MD5: 8195fa7fc751f6922163f13a5c208a10
SHA-256: 83969318bbe56c2fe1adcf6c53e9da9d0a059295cf5b78d4a1c5e3e64f9fcd2a
openssl-0.9.8e-40.el5_11.x86_64.rpm     MD5: 28c0bd7746f79fa7f0d90f285743e3f8
SHA-256: 09d4a4241a4754a7b565da41460e82e816cc2f5c1a960cf99071552d054cfe87
openssl-debuginfo-0.9.8e-40.el5_11.i686.rpm     MD5: 2f12f12451e35a46089be6bedd5b39cf
SHA-256: acfbe297842e5d08229dd5f7b45bc68cca47332e9317f8e7e1f76893295527df
openssl-debuginfo-0.9.8e-40.el5_11.x86_64.rpm     MD5: 556d0a392be20cbaa9a6366075968dfc
SHA-256: a51d88aac389b927cbec39059884b9350f190fd0b7859f4f6bf77446e842a273
openssl-perl-0.9.8e-40.el5_11.x86_64.rpm     MD5: c67d817631af8c6f10a4a60b73fdaec8
SHA-256: 3d2769e614a59cfc9cdc241d95b2733df4fbfa76637a97ff4453d7d9e35f5308
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/