4.121. openssl
Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
Security Fixes
- CVE-2012-1165
- A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages.
- CVE-2012-0884
- A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times.
This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail.
All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl, openssl097a, and openssl098e packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
Security Fix
- CVE-2012-2110
- Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
Security Fix
- CVE-2012-2333
- An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious DTLS client or server could use this flaw to crash its DTLS connection peer.
Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Codenomicon as the original reporter.
On Red Hat Enterprise Linux 6, this update also fixes an uninitialized variable use bug, introduced by the fix for CVE-2012-0884 (released via RHSA-2012:0426). This bug could possibly cause an attempt to create an encrypted message in the CMS (Cryptographic Message Syntax) format to fail.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.