RHSA-2007:0813-01 Moderate: openssl security update
Posted on: 10/22/2007 02:25 PM

A new update is available for Red Hat Enterprise Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Moderate: openssl security update
Advisory ID: RHSA-2007:0813-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0813.html
Issue date: 2007-10-22
Updated on: 2007-10-22
Product: Red Hat Enterprise Linux
Cross references: RHSA-2007:0806
CVE Names: CVE-2007-3108 CVE-2007-5135
- ---------------------------------------------------------------------

1. Summary:

Updated OpenSSL packages that correct security issues are now available for
Red Hat Enterprise Linux 2.1 and 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

A flaw was found in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer with a single byte (CVE-2007-5135). Few
applications make use of this vulnerable function and generally it is used
only when applications are compiled for debugging.

A number of possible side-channel attacks were discovered affecting
OpenSSL. A local attacker could possibly obtain RSA private keys being
used on a system. In practice these attacks would be difficult to perform
outside of a lab environment. This update contains backported patches
designed to mitigate these issues. (CVE-2007-3108).

Users of OpenSSL should upgrade to these updated packages, which contain
backported patches to resolve these issues.

Note: After installing this update, users are advised to either restart all
services that use OpenSSL or restart their system.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

245732 - CVE-2007-3108 RSA side-channel attack
250573 - CVE-NONE openssl branch prediction attacks
309801 - CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 :

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/openssl-0.9.6b-48.src.rpm
241c11e07657d431d82299dcdace1538 openssl-0.9.6b-48.src.rpm

i386:
e733431a8c900a5f6cda4ee24ff4370a openssl-0.9.6b-48.i386.rpm
de59b644999b3c60c22b9ee707b3ad27 openssl-0.9.6b-48.i686.rpm
29a57ca9b091d27649aa00fe28916011 openssl-devel-0.9.6b-48.i386.rpm
8ddaf7d36daa25228d589b0b418518c7 openssl-perl-0.9.6b-48.i386.rpm

ia64:
7b3744aaf24edc10108b035eb4201e8a openssl-0.9.6b-48.ia64.rpm
b4ef30aa6c02c246af8ecc6239bd27c9 openssl-devel-0.9.6b-48.ia64.rpm
1f73927a5997209a03d171b241fea780 openssl-perl-0.9.6b-48.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/openssl-0.9.6b-48.src.rpm
241c11e07657d431d82299dcdace1538 openssl-0.9.6b-48.src.rpm

ia64:
7b3744aaf24edc10108b035eb4201e8a openssl-0.9.6b-48.ia64.rpm
b4ef30aa6c02c246af8ecc6239bd27c9 openssl-devel-0.9.6b-48.ia64.rpm
1f73927a5997209a03d171b241fea780 openssl-perl-0.9.6b-48.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/openssl-0.9.6b-48.src.rpm
241c11e07657d431d82299dcdace1538 openssl-0.9.6b-48.src.rpm

i386:
e733431a8c900a5f6cda4ee24ff4370a openssl-0.9.6b-48.i386.rpm
de59b644999b3c60c22b9ee707b3ad27 openssl-0.9.6b-48.i686.rpm
29a57ca9b091d27649aa00fe28916011 openssl-devel-0.9.6b-48.i386.rpm
8ddaf7d36daa25228d589b0b418518c7 openssl-perl-0.9.6b-48.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/openssl-0.9.6b-48.src.rpm
241c11e07657d431d82299dcdace1538 openssl-0.9.6b-48.src.rpm

i386:
e733431a8c900a5f6cda4ee24ff4370a openssl-0.9.6b-48.i386.rpm
de59b644999b3c60c22b9ee707b3ad27 openssl-0.9.6b-48.i686.rpm
29a57ca9b091d27649aa00fe28916011 openssl-devel-0.9.6b-48.i386.rpm
8ddaf7d36daa25228d589b0b418518c7 openssl-perl-0.9.6b-48.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/openssl-0.9.7a-33.24.src.rpm
b2e9f291195f6a8e3b6b77d1722e4c32 openssl-0.9.7a-33.24.src.rpm

i386:
db30d33b3590d5267f22c355953ec333 openssl-0.9.7a-33.24.i386.rpm
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
06d53bf4d8d9c3eb8414cdaf907df743 openssl-debuginfo-0.9.7a-33.24.i386.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
b4744e8c4e8322691cdf8a74f382d291 openssl-devel-0.9.7a-33.24.i386.rpm
e89ed20c06ce1cbe489fb58043b06986 openssl-perl-0.9.7a-33.24.i386.rpm

ia64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
3b73e6c1ddea4868fb9ca1ef0d0e8908 openssl-0.9.7a-33.24.ia64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d4ad6188e4b032b6c5c87c9c305ee06f openssl-debuginfo-0.9.7a-33.24.ia64.rpm
9094dc39705ac75c3418f6f1038f1544 openssl-devel-0.9.7a-33.24.ia64.rpm
5b421c027aa30dd7ac5e9ecd67183cb4 openssl-perl-0.9.7a-33.24.ia64.rpm

ppc:
c762fa662388f5a5275b7dde930b2248 openssl-0.9.7a-33.24.ppc.rpm
be5500db07523ca80a9c3c0d76d9c60c openssl-0.9.7a-33.24.ppc64.rpm
8e6393deb6259106bee5a688f5207b4a openssl-debuginfo-0.9.7a-33.24.ppc.rpm
7cad1081f26623f5ed741cf8e2593541 openssl-debuginfo-0.9.7a-33.24.ppc64.rpm
a5aeeed998d77dec869f595cd3315bc8 openssl-devel-0.9.7a-33.24.ppc.rpm
86ccb62b0a712d5d98a229f9545dccd4 openssl-perl-0.9.7a-33.24.ppc.rpm

s390:
9eccbeb0fcc59b9218d082f9c85b5ea1 openssl-0.9.7a-33.24.s390.rpm
3da3860e8890f76a59d6697e547a0b01 openssl-debuginfo-0.9.7a-33.24.s390.rpm
c6e9aec6b0a2d7500c64d964d2b742b7 openssl-devel-0.9.7a-33.24.s390.rpm
db1be7fee72ff6d686cca42bc40cbfe9 openssl-perl-0.9.7a-33.24.s390.rpm

s390x:
9eccbeb0fcc59b9218d082f9c85b5ea1 openssl-0.9.7a-33.24.s390.rpm
443dd8a5a6434f373d9ac8ae9974e6b4 openssl-0.9.7a-33.24.s390x.rpm
3da3860e8890f76a59d6697e547a0b01 openssl-debuginfo-0.9.7a-33.24.s390.rpm
72755a7981cb27bbaf18bc0fe95e3bb1 openssl-debuginfo-0.9.7a-33.24.s390x.rpm
b5ece9779173a3012a9b33bafb04fc36 openssl-devel-0.9.7a-33.24.s390x.rpm
312156b73990ad5d8ab0ca6f4bf09d3c openssl-perl-0.9.7a-33.24.s390x.rpm

x86_64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
4c79a9941bb91499b5c82f7966a35843 openssl-0.9.7a-33.24.x86_64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d6e4c2120d1ae9c292f128beb3489af2 openssl-debuginfo-0.9.7a-33.24.x86_64.rpm
8b47a2b03491fc3dab25b4d9d2304fa1 openssl-devel-0.9.7a-33.24.x86_64.rpm
969b865272c1bba25e03fc4523432f9b openssl-perl-0.9.7a-33.24.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/openssl-0.9.7a-33.24.src.rpm
b2e9f291195f6a8e3b6b77d1722e4c32 openssl-0.9.7a-33.24.src.rpm

i386:
db30d33b3590d5267f22c355953ec333 openssl-0.9.7a-33.24.i386.rpm
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
06d53bf4d8d9c3eb8414cdaf907df743 openssl-debuginfo-0.9.7a-33.24.i386.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
b4744e8c4e8322691cdf8a74f382d291 openssl-devel-0.9.7a-33.24.i386.rpm
e89ed20c06ce1cbe489fb58043b06986 openssl-perl-0.9.7a-33.24.i386.rpm

x86_64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
4c79a9941bb91499b5c82f7966a35843 openssl-0.9.7a-33.24.x86_64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d6e4c2120d1ae9c292f128beb3489af2 openssl-debuginfo-0.9.7a-33.24.x86_64.rpm
8b47a2b03491fc3dab25b4d9d2304fa1 openssl-devel-0.9.7a-33.24.x86_64.rpm
969b865272c1bba25e03fc4523432f9b openssl-perl-0.9.7a-33.24.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/openssl-0.9.7a-33.24.src.rpm
b2e9f291195f6a8e3b6b77d1722e4c32 openssl-0.9.7a-33.24.src.rpm

i386:
db30d33b3590d5267f22c355953ec333 openssl-0.9.7a-33.24.i386.rpm
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
06d53bf4d8d9c3eb8414cdaf907df743 openssl-debuginfo-0.9.7a-33.24.i386.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
b4744e8c4e8322691cdf8a74f382d291 openssl-devel-0.9.7a-33.24.i386.rpm
e89ed20c06ce1cbe489fb58043b06986 openssl-perl-0.9.7a-33.24.i386.rpm

ia64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
3b73e6c1ddea4868fb9ca1ef0d0e8908 openssl-0.9.7a-33.24.ia64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d4ad6188e4b032b6c5c87c9c305ee06f openssl-debuginfo-0.9.7a-33.24.ia64.rpm
9094dc39705ac75c3418f6f1038f1544 openssl-devel-0.9.7a-33.24.ia64.rpm
5b421c027aa30dd7ac5e9ecd67183cb4 openssl-perl-0.9.7a-33.24.ia64.rpm

x86_64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
4c79a9941bb91499b5c82f7966a35843 openssl-0.9.7a-33.24.x86_64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d6e4c2120d1ae9c292f128beb3489af2 openssl-debuginfo-0.9.7a-33.24.x86_64.rpm
8b47a2b03491fc3dab25b4d9d2304fa1 openssl-devel-0.9.7a-33.24.x86_64.rpm
969b865272c1bba25e03fc4523432f9b openssl-perl-0.9.7a-33.24.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/openssl-0.9.7a-33.24.src.rpm
b2e9f291195f6a8e3b6b77d1722e4c32 openssl-0.9.7a-33.24.src.rpm

i386:
db30d33b3590d5267f22c355953ec333 openssl-0.9.7a-33.24.i386.rpm
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
06d53bf4d8d9c3eb8414cdaf907df743 openssl-debuginfo-0.9.7a-33.24.i386.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
b4744e8c4e8322691cdf8a74f382d291 openssl-devel-0.9.7a-33.24.i386.rpm
e89ed20c06ce1cbe489fb58043b06986 openssl-perl-0.9.7a-33.24.i386.rpm

ia64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
3b73e6c1ddea4868fb9ca1ef0d0e8908 openssl-0.9.7a-33.24.ia64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d4ad6188e4b032b6c5c87c9c305ee06f openssl-debuginfo-0.9.7a-33.24.ia64.rpm
9094dc39705ac75c3418f6f1038f1544 openssl-devel-0.9.7a-33.24.ia64.rpm
5b421c027aa30dd7ac5e9ecd67183cb4 openssl-perl-0.9.7a-33.24.ia64.rpm

x86_64:
e6e165ab5f3774c2494865920f0773a0 openssl-0.9.7a-33.24.i686.rpm
4c79a9941bb91499b5c82f7966a35843 openssl-0.9.7a-33.24.x86_64.rpm
2d682d4c0b39e7b01c57887c845c31d2 openssl-debuginfo-0.9.7a-33.24.i686.rpm
d6e4c2120d1ae9c292f128beb3489af2 openssl-debuginfo-0.9.7a-33.24.x86_64.rpm
8b47a2b03491fc3dab25b4d9d2304fa1 openssl-devel-0.9.7a-33.24.x86_64.rpm
969b865272c1bba25e03fc4523432f9b openssl-perl-0.9.7a-33.24.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is lt;secalert@redhat.comgt;. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHHH76XlSAg2UNWIIRAmiUAKCqMAlc2iDwiFVDsErkPCbEBRVOTQCfRc2y
BlD70FkWDMYdVlTzfod+X1k=
=V23I
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/rhsa_20070813_01_moderate_openssl_security_update.html)