Date:         Tue, 19 Jan 2010 15:48:10 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      FASTBUGS for SL 5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

The following FASTBUGS have been uploaded to



         i386:
aide-0.13.1-6.el5.i386.rpm
avahi-0.6.16-7.el5.i386.rpm
avahi-compat-howl-0.6.16-7.el5.i386.rpm
avahi-compat-howl-devel-0.6.16-7.el5.i386.rpm
avahi-compat-libdns_sd-0.6.16-7.el5.i386.rpm
avahi-compat-libdns_sd-devel-0.6.16-7.el5.i386.rpm
avahi-devel-0.6.16-7.el5.i386.rpm
avahi-glib-0.6.16-7.el5.i386.rpm
avahi-glib-devel-0.6.16-7.el5.i386.rpm
avahi-qt3-0.6.16-7.el5.i386.rpm
avahi-qt3-devel-0.6.16-7.el5.i386.rpm
avahi-tools-0.6.16-7.el5.i386.rpm
cpuspeed-1.2.1-9.el5.i386.rpm
cups-1.3.7-11.el5_4.5.i386.rpm
cups-devel-1.3.7-11.el5_4.5.i386.rpm
cups-libs-1.3.7-11.el5_4.5.i386.rpm
cups-lpd-1.3.7-11.el5_4.5.i386.rpm
dhclient-3.0.5-21.el5_4.1.i386.rpm
dhcp-3.0.5-21.el5_4.1.i386.rpm
dhcp-devel-3.0.5-21.el5_4.1.i386.rpm
dogtail-0.6.1-3.el5.noarch.rpm
dosfstools-2.11-9.el5.i386.rpm
gnome-vfs2-2.16.2-5.el5.i386.rpm
gnome-vfs2-devel-2.16.2-5.el5.i386.rpm
gnome-vfs2-smb-2.16.2-5.el5.i386.rpm
libdhcp4client-3.0.5-21.el5_4.1.i386.rpm
libdhcp4client-devel-3.0.5-21.el5_4.1.i386.rpm
logwatch-7.3-8.el5.noarch.rpm
mdadm-2.6.9-3.el5.i386.rpm
perl-XML-LibXML-1.58-6.i386.rpm
perl-XML-SAX-0.14-8.noarch.rpm
readahead-1.3-8.el5.i386.rpm
ruby-1.8.5-5.el5_4.8.i386.rpm
ruby-devel-1.8.5-5.el5_4.8.i386.rpm
ruby-docs-1.8.5-5.el5_4.8.i386.rpm
ruby-irb-1.8.5-5.el5_4.8.i386.rpm
ruby-libs-1.8.5-5.el5_4.8.i386.rpm
ruby-mode-1.8.5-5.el5_4.8.i386.rpm
ruby-rdoc-1.8.5-5.el5_4.8.i386.rpm
ruby-ri-1.8.5-5.el5_4.8.i386.rpm
ruby-tcltk-1.8.5-5.el5_4.8.i386.rpm
strace-4.5.18-5.el5_4.1.i386.rpm
tcsh-6.14-14.el5_4.3.i386.rpm
xen-3.0.3-94.el5_4.3.i386.rpm
xen-devel-3.0.3-94.el5_4.3.i386.rpm
xen-libs-3.0.3-94.el5_4.3.i386.rpm
        x86_64:
aide-0.13.1-6.el5.x86_64.rpm
avahi-0.6.16-7.el5.i386.rpm
avahi-0.6.16-7.el5.x86_64.rpm
avahi-compat-howl-0.6.16-7.el5.i386.rpm
avahi-compat-howl-0.6.16-7.el5.x86_64.rpm
avahi-compat-howl-devel-0.6.16-7.el5.i386.rpm
avahi-compat-howl-devel-0.6.16-7.el5.x86_64.rpm
avahi-compat-libdns_sd-0.6.16-7.el5.i386.rpm
avahi-compat-libdns_sd-0.6.16-7.el5.x86_64.rpm
avahi-compat-libdns_sd-devel-0.6.16-7.el5.i386.rpm
avahi-compat-libdns_sd-devel-0.6.16-7.el5.x86_64.rpm
avahi-devel-0.6.16-7.el5.i386.rpm
avahi-devel-0.6.16-7.el5.x86_64.rpm
avahi-glib-0.6.16-7.el5.i386.rpm
avahi-glib-0.6.16-7.el5.x86_64.rpm
avahi-glib-devel-0.6.16-7.el5.i386.rpm
avahi-glib-devel-0.6.16-7.el5.x86_64.rpm
avahi-qt3-0.6.16-7.el5.i386.rpm
avahi-qt3-0.6.16-7.el5.x86_64.rpm
avahi-qt3-devel-0.6.16-7.el5.i386.rpm
avahi-qt3-devel-0.6.16-7.el5.x86_64.rpm
avahi-tools-0.6.16-7.el5.x86_64.rpm
cpuspeed-1.2.1-9.el5.x86_64.rpm
cups-1.3.7-11.el5_4.5.x86_64.rpm
cups-devel-1.3.7-11.el5_4.5.i386.rpm
cups-devel-1.3.7-11.el5_4.5.x86_64.rpm
cups-libs-1.3.7-11.el5_4.5.i386.rpm
cups-libs-1.3.7-11.el5_4.5.x86_64.rpm
cups-lpd-1.3.7-11.el5_4.5.x86_64.rpm
dhclient-3.0.5-21.el5_4.1.x86_64.rpm
dhcp-3.0.5-21.el5_4.1.x86_64.rpm
dhcp-devel-3.0.5-21.el5_4.1.i386.rpm
dhcp-devel-3.0.5-21.el5_4.1.x86_64.rpm
dogtail-0.6.1-3.el5.noarch.rpm
dosfstools-2.11-9.el5.x86_64.rpm
gnome-vfs2-2.16.2-5.el5.i386.rpm
gnome-vfs2-2.16.2-5.el5.x86_64.rpm
gnome-vfs2-devel-2.16.2-5.el5.i386.rpm
gnome-vfs2-devel-2.16.2-5.el5.x86_64.rpm
gnome-vfs2-smb-2.16.2-5.el5.x86_64.rpm
libdhcp4client-3.0.5-21.el5_4.1.i386.rpm
libdhcp4client-3.0.5-21.el5_4.1.x86_64.rpm
libdhcp4client-devel-3.0.5-21.el5_4.1.i386.rpm
libdhcp4client-devel-3.0.5-21.el5_4.1.x86_64.rpm
logwatch-7.3-8.el5.noarch.rpm
mdadm-2.6.9-3.el5.x86_64.rpm
perl-XML-LibXML-1.58-6.x86_64.rpm
perl-XML-SAX-0.14-8.noarch.rpm
readahead-1.3-8.el5.x86_64.rpm
ruby-1.8.5-5.el5_4.8.x86_64.rpm
ruby-devel-1.8.5-5.el5_4.8.i386.rpm
ruby-devel-1.8.5-5.el5_4.8.x86_64.rpm
ruby-docs-1.8.5-5.el5_4.8.x86_64.rpm
ruby-irb-1.8.5-5.el5_4.8.x86_64.rpm
ruby-libs-1.8.5-5.el5_4.8.i386.rpm
ruby-libs-1.8.5-5.el5_4.8.x86_64.rpm
ruby-mode-1.8.5-5.el5_4.8.x86_64.rpm
ruby-rdoc-1.8.5-5.el5_4.8.x86_64.rpm
ruby-ri-1.8.5-5.el5_4.8.x86_64.rpm
ruby-tcltk-1.8.5-5.el5_4.8.x86_64.rpm
strace-4.5.18-5.el5_4.1.x86_64.rpm
tcsh-6.14-14.el5_4.3.x86_64.rpm
xen-3.0.3-94.el5_4.3.x86_64.rpm
xen-devel-3.0.3-94.el5_4.3.i386.rpm
xen-devel-3.0.3-94.el5_4.3.x86_64.rpm
xen-libs-3.0.3-94.el5_4.3.i386.rpm
xen-libs-3.0.3-94.el5_4.3.x86_64.rpm


-Connie Sieh
-Troy Dawson
Date:         Wed, 20 Jan 2010 11:41:55 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Moderate: openssl on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: openssl security update
Issue date:	2010-01-19
CVE Names:	CVE-2009-2409 CVE-2009-4355

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests 
(DoS)

It was found that the OpenSSL library did not properly re-initialize its
internal state in the SSL_library_init() function after previous calls 
to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory 
leak for each subsequent SSL connection. This flaw could cause server
applications that call those functions during reload, such as a 
combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to 
consume all available memory, resulting in a denial of service. 
(CVE-2009-4355)

Dan Kaminsky found that browsers could accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser.
OpenSSL now disables the use of the MD2 algorithm inside signatures by
default. (CVE-2009-2409)

For the update to take effect, all services linked to the OpenSSL 
library must be restarted, or the system rebooted.

SL 5.x

     SRPMS:
openssl-0.9.8e-12.el5_4.1.src.rpm
     i386:
openssl-0.9.8e-12.el5_4.1.i386.rpm
openssl-0.9.8e-12.el5_4.1.i686.rpm
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
openssl-perl-0.9.8e-12.el5_4.1.i386.rpm
     x86_64:
openssl-0.9.8e-12.el5_4.1.i686.rpm
openssl-0.9.8e-12.el5_4.1.x86_64.rpm
openssl-devel-0.9.8e-12.el5_4.1.i386.rpm
openssl-devel-0.9.8e-12.el5_4.1.x86_64.rpm
openssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2009-2409 Moderate: openssl SL5.x i386/x86_64

Moderate: openssl security update

Summary

(DoS)It was found that the OpenSSL library did not properly re-initialize itsinternal state in the SSL_library_init() function after previous callsto the CRYPTO_cleanup_all_ex_data() function, which would cause a memoryleak for each subsequent SSL connection. This flaw could cause serverapplications that call those functions during reload, such as acombination of the Apache HTTP Server, mod_ssl, PHP, and cURL, toconsume all available memory, resulting in a denial of service.(CVE-2009-4355)Dan Kaminsky found that browsers could accept certificates with MD2 hashsignatures, even though MD2 is no longer considered a cryptographicallystrong algorithm. This could make it easier for an attacker to create amalicious certificate that would be treated as trusted by a browser.OpenSSL now disables the use of the MD2 algorithm inside signatures bydefault. (CVE-2009-2409)For the update to take effect, all services linked to the OpenSSLlibrary must be restarted, or the system rebooted.SL 5.xSRPMS:openssl-0.9.8e-12.el5_4.1.src.rpmi386:openssl-0.9.8e-12.el5_4.1.i386.rpmopenssl-0.9.8e-12.el5_4.1.i686.rpmopenssl-devel-0.9.8e-12.el5_4.1.i386.rpmopenssl-perl-0.9.8e-12.el5_4.1.i386.rpmx86_64:openssl-0.9.8e-12.el5_4.1.i686.rpmopenssl-0.9.8e-12.el5_4.1.x86_64.rpmopenssl-devel-0.9.8e-12.el5_4.1.i386.rpmopenssl-devel-0.9.8e-12.el5_4.1.x86_64.rpmopenssl-perl-0.9.8e-12.el5_4.1.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity
Issued Date: : 2010-01-19
CVE Names: CVE-2009-2409 CVE-2009-4355
CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved