Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Pat Riehecky <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Moderate: openssl on SL5.x, SL6.x i386/x86_64
Newsgroups: gmane.linux.scientific.errata
Date: Monday 4th March 2013 22:58:32 UTC (over 3 years ago)
Synopsis:          Moderate: openssl security update
Issue Date:        2013-03-04
CVE Numbers:       CVE-2013-0169
                    CVE-2012-4929
                    CVE-2013-0166
--

It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve
plain text from the encrypted packets by using a TLS/SSL or DTLS server 
as a padding oracle. (CVE-2013-0169)

A NULL pointer dereference flaw was found in the OCSP response
verification in OpenSSL. A malicious OCSP server could use this flaw to
crash applications performing OCSP verification by sending a specially-
crafted response. (CVE-2013-0166)

It was discovered that the TLS/SSL protocol could leak information about
plain text when optional compression was used. An attacker able to control
part of the plain text sent over an encrypted TLS/SSL connection could
possibly use this flaw to recover other portions of the plain text.
(CVE-2012-4929)

Note: This update disables zlib compression, which was previously enabled
in OpenSSL by default. Applications using OpenSSL now need to explicitly
enable zlib compression to use it.

It was found that OpenSSL read certain environment variables even when
used by a privileged (setuid or setgid) application. A local attacker
could use this flaw to escalate their privileges. No application shipped
with Scientific Linux 5 and 6 was affected by this problem.

For the update to take effect, all services linked to the OpenSSL
library must be restarted, or the system rebooted.
--

SL5
   x86_64
     openssl-0.9.8e-26.el5_9.1.i686.rpm
     openssl-0.9.8e-26.el5_9.1.x86_64.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i686.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.x86_64.rpm
     openssl-perl-0.9.8e-26.el5_9.1.x86_64.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i386.rpm
     openssl-devel-0.9.8e-26.el5_9.1.i386.rpm
     openssl-devel-0.9.8e-26.el5_9.1.x86_64.rpm
   i386
     openssl-0.9.8e-26.el5_9.1.i386.rpm
     openssl-0.9.8e-26.el5_9.1.i686.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i386.rpm
     openssl-debuginfo-0.9.8e-26.el5_9.1.i686.rpm
     openssl-perl-0.9.8e-26.el5_9.1.i386.rpm
     openssl-devel-0.9.8e-26.el5_9.1.i386.rpm
SL6
   x86_64
     openssl-1.0.0-27.el6_4.2.i686.rpm
     openssl-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-debuginfo-1.0.0-27.el6_4.2.i686.rpm
     openssl-debuginfo-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-devel-1.0.0-27.el6_4.2.i686.rpm
     openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-perl-1.0.0-27.el6_4.2.x86_64.rpm
     openssl-static-1.0.0-27.el6_4.2.x86_64.rpm
   i386
     openssl-1.0.0-27.el6_4.2.i686.rpm
     openssl-debuginfo-1.0.0-27.el6_4.2.i686.rpm
     openssl-devel-1.0.0-27.el6_4.2.i686.rpm
     openssl-perl-1.0.0-27.el6_4.2.i686.rpm
     openssl-static-1.0.0-27.el6_4.2.i686.rpm

- Scientific Linux Development Team
 
CD: 3ms