Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
Security Fix
- CVE-2011-3207
An uninitialized variable use flaw was found in OpenSSL. This flaw could cause an application using the OpenSSL Certificate Revocation List (CRL) checking functionality to incorrectly accept a CRL that has a nextUpdate date in the past.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix two bugs and add several enhancements are now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Bug Fixes
- BZ#693863
Prior to this update, repeatedly loading and unloading the CHIL engine could cause the calling program to terminate unexpectedly with a segmentation fault. This happened, because a function pointer was not properly cleared after the engine was unloaded. With this update, the underlying source code has been corrected to clear the function pointer when the engine is unloaded, and the calling program no longer crashes in this scenario.
- BZ#740188
Due to missing variable initialization, the CHIL engine could occasionally fail to load. This update corrects the underlying source code to properly initialize this variable so that the CHIL engine is no longer prevented from loading.
Enhancements
- BZ#696389
The performance of the AES encryption algorithm on CPUs with the AES-NI instruction set, as well as SHA-1 and RC4 algorithms on 32-bit and 64-bit x86 architectures has been significantly improved.
- BZ#708511
For testing purposes, the OpenSSL source RPM package can now be built without additional patches.
- BZ#723994
Partial RELRO is now enabled during the build of the OpenSSL libraries to improve security vulnerability properties of applications that use these libraries.
- BZ#726081
Users can now explicitly disable the built-in AES-NI (Advanced Encryption Standard New Instruction) CPU instruction acceleration support by setting the OPENSSL_DISABLE_AES_NI environment variable to any value.
- BZ#740872
Prior to this update, there was no direct KAT (known answer test) self-test for the SHA-2 algorithms in FIPS mode; these algorithms were self-tested only during the HMAC self-tests. This update provides an implementation of the direct KAT self-test for SHA-2 algorithms.
- BZ#693858
Previously, the manual and help pages for various subcommands of the openssl utility did not specify all digest algorithms. This update adapts these pages and users are now instructed to run the "openssl dgst -h" command, which lists all available digests.
All users of openssl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated openssl packages that adds several enhancements are now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Enhancements
- BZ#709020
With this update, the openssl API for the DSA algorithm has been enhanced to allow for presetting the prime (P) and the subprime (Q) parameters when generating the base (G) parameter. This is necessary for the algorithm correctness validation according to the FIPS-186-3 standard.
- BZ#711336
With this update, the implementation of the AES encryption algorithm with the support for AES-NI processor instructions is now enabled also in the FIPS mode.
Users of openssl are advised to upgrade to these updated packages, which add these enhancements.
