Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 603
Alerts This Week
Warning Icon 1 603

Scientific Linux 5/6: OpenSSL Low-Level Update CVE-2013-0169 Denial of Service Notice

Scientific Large Esm H446
Moderate: openssl security update
Date: Mon, 4 Mar 2013 16:58:32 -0600
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Organization: Fermilab
Subject: Security ERRATA Moderate: openssl on SL5.x, SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis: Moderate: openssl security update
Issue Date: 2013-03-04
CVE Numbers: CVE-2013-0169
 CVE-2012-4929
 CVE-2013-0166
--

It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve
plain text from the encrypted packets by using a TLS/SSL or DTLS server
as a padding oracle. (CVE-2013-0169)

A NULL pointer dereference flaw was found in the OCSP response
verification in OpenSSL. A malicious OCSP server could use this flaw to
crash applications performing OCSP verification by sending a specially-
crafted response. (CVE-2013-0166)

It was discovered that the TLS/SSL protocol could leak information about
plain text when optional compression was used. An attacker able to control
part of the plain text sent over an encrypted TLS/SSL connection could
possibly use this flaw to recover other portions of the plain text.
(CVE-2012-4929)

Note: This update disables zlib compression, which was previously enabled
in OpenSSL by default. Applications using OpenSSL now need to explicitly
enable zlib compression to use it.

It was found that OpenSSL read certain environment variables even when
used by a privileged (setuid or setgid) application. A local attacker
could use this flaw to escalate their privileges. No application shipped
with Scientific Linux 5 and 6 was affected by this problem.

For the update to take effect, all services linked to the OpenSSL
library must be restarted, or the system rebooted.
--

SL5
 x86_64
 openssl-0.9.8e-26.el5_9.1.i686.rpm
 openssl-0.9.8e-26.el5_9.1.x86_64.rpm
 openssl-debuginfo-0.9.8e-26.el5_9.1.i686.rpm
 openssl-debuginfo-0.9.8e-26.el5_9.1.x86_64.rpm
 openssl-perl-0.9.8e-26.el5_9.1.x86_64.rpm
 openssl-debuginfo-0.9.8e-26.el5_9.1.i386.rpm
 openssl-devel-0.9.8e-26.el5_9.1.i386.rpm
 openssl-devel-0.9.8e-26.el5_9.1.x86_64.rpm
 i386
 openssl-0.9.8e-26.el5_9.1.i386.rpm
 openssl-0.9.8e-26.el5_9.1.i686.rpm
 openssl-debuginfo-0.9.8e-26.el5_9.1.i386.rpm
 openssl-debuginfo-0.9.8e-26.el5_9.1.i686.rpm
 openssl-perl-0.9.8e-26.el5_9.1.i386.rpm
 openssl-devel-0.9.8e-26.el5_9.1.i386.rpm
SL6
 x86_64
 openssl-1.0.0-27.el6_4.2.i686.rpm
 openssl-1.0.0-27.el6_4.2.x86_64.rpm
 openssl-debuginfo-1.0.0-27.el6_4.2.i686.rpm
 openssl-debuginfo-1.0.0-27.el6_4.2.x86_64.rpm
 openssl-devel-1.0.0-27.el6_4.2.i686.rpm
 openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm
 openssl-perl-1.0.0-27.el6_4.2.x86_64.rpm
 openssl-static-1.0.0-27.el6_4.2.x86_64.rpm
 i386
 openssl-1.0.0-27.el6_4.2.i686.rpm
 openssl-debuginfo-1.0.0-27.el6_4.2.i686.rpm
 openssl-devel-1.0.0-27.el6_4.2.i686.rpm
 openssl-perl-1.0.0-27.el6_4.2.i686.rpm
 openssl-static-1.0.0-27.el6_4.2.i686.rpm

- Scientific Linux Development Team