Explore top 10 tips to secure your open-source projects now. Read More
×
Date: Tue, 20 Jan 2015 09:08:00 -0600 Reply-To: Pat RieheckySender: Security Errata for Scientific Linux From: Pat Riehecky Subject: FASTBUGS for SL 7x x86_64 now available MIME-Version: 1.0 The following FASTBUGS have been uploaded to x86_64: libgudev1-208-11.el7_0.6.i686.rpm libgudev1-208-11.el7_0.6.x86_64.rpm libgudev1-devel-208-11.el7_0.6.i686.rpm libgudev1-devel-208-11.el7_0.6.x86_64.rpm sblim-sfcb-1.3.16-12.el7_0.i686.rpm sblim-sfcb-1.3.16-12.el7_0.x86_64.rpm subscription-manager-1.10.14-13.sl7.x86_64.rpm subscription-manager-firstboot-1.10.14-13.sl7.x86_64.rpm subscription-manager-gui-1.10.14-13.sl7.x86_64.rpm systemd-208-11.el7_0.6.x86_64.rpm systemd-devel-208-11.el7_0.6.i686.rpm systemd-devel-208-11.el7_0.6.x86_64.rpm systemd-journal-gateway-208-11.el7_0.6.x86_64.rpm systemd-libs-208-11.el7_0.6.i686.rpm systemd-libs-208-11.el7_0.6.x86_64.rpm systemd-python-208-11.el7_0.6.x86_64.rpm systemd-sysv-208-11.el7_0.6.x86_64.rpm Date: Wed, 21 Jan 2015 16:47:10 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Moderate: openssl on SL6.x, SL7.x i386/x86_64 MIME-Version: 1.0 Synopsis: Moderate: openssl security update Advisory ID: SLSA-2015:0066-1 Issue Date: 2015-01-21 CVE Numbers: CVE-2015-0204 CVE-2014-3572 CVE-2014-8275 CVE-2014-3571 CVE-2015-0206 CVE-2015-0205 CVE-2014-3570 -- A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote attacker could send a specially crafted DTLS message, which would cause an OpenSSL server to crash. (CVE-2014-3571) A memory leak flaw was found in the way the dtls1_buffer_record() function of OpenSSL parsed certain DTLS messages. A remote attacker could send multiple specially crafted DTLS messages to exhaust all available memory of a DTLS server. (CVE-2015-0206) It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it. (CVE-2014-3570) It was discovered that OpenSSL would perform an ECDH key exchange with a non-ephemeral key even when the ephemeral ECDH cipher suite was selected. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method than the one requested by the user. (CVE-2014-3572) It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. (CVE-2014-8275) It was found that an OpenSSL server would, under certain conditions, accept Diffie-Hellman client certificates without the use of a private key. An attacker could use a user's client certificate to authenticate as that user, without needing the private key. (CVE-2015-0205) For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. -- SL6 x86_64 openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm i386 openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-perl-1.0.1e-30.el6_6.5.i686.rpm openssl-static-1.0.1e-30.el6_6.5.i686.rpm SL7 x86_64 openssl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-devel-1.0.1e-34.el7_0.7.i686.rpm openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm openssl-libs-1.0.1e-34.el7_0.7.i686.rpm openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-static-1.0.1e-34.el7_0.7.i686.rpm openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm - Scientific Linux Development Team