Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -4 articles for you...
203
security advisorynetwork attackciphersuiteMageia 6 Security Advisory MGASA-2018-0432: Mbedtls TLS Issues
Updated mbedtls package fixes security vulnerabilities: Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions . MGASA-2018-0432 - Updated mbedtls packages fix security vulnerabilities Publication date: 03 Nov 2018 URL: https://advisories.mageia.org/MGASA-2018-0432.html Type: security Affected Mageia releases: 6 CVE: CVE-2018-0497, CVE-2018-0498 Updated mbedtls package fixes security vulnerabilities: Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels (CVE-2018-0497). Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions (CVE-2018-0498). Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing (no CVE assigned). References: - https://bugs.mageia.org/show_bug.cgi?id=23660 - https://www.trustedfirmware.org/projects/mbed-tls/ - https://www.trustedfirmware.org/projects/mbed-tls/ - https://www.cve.org/CVERecord?id=CVE-2018-0497 - https://www.cve.org/CVERecord?id=CVE-2018-0498 SRPMS: - 6/core/mbedtls-2.7.6-1.mga6 . Mageia security announcement MGASA-2018-0432: Enhanced mbedtls packages tackle security flaws in TLS cipher suites.. Mbedtls Update,Mageia Security,TLS Ciphersuite Fix,Network Attack Defense. . Severity: Critical. LinuxSecurity.com Team
Nov 03, 2018
•Critical
Mageia
89
security advisoryupdatecriticalFedora 22 mod_nss Security Advisory: CVE-2015-5244 Critical Cipher Issue
Fix for CVE-2015-5244. An OpenSSL cipher string wasn't disabled when prefixed with !.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-6aa4dd4f3a 2016-01-24 18:32:28.486161 -------------------------------------------------------------------------------- Name : mod_nss Product : Fedora 22 Version : 1.0.11 Release : 6.fc22 URL : https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement/ Summary : SSL/TLS module for the Apache HTTP server Description : The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. -------------------------------------------------------------------------------- Update Information: Fix for CVE-2015-5244. An OpenSSL cipher string wasn't disabled when prefixed with !. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1263070 - CVE-2015-5244 mod_nss: incorrect ciphersuite parsing [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1263070 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update mod_nss' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Jan 24, 2016
•Critical
Fedora
98
security advisorymoderateRed HatRed Hat: RHSA-2010:0978-01 Moderate: OpenSSL Ciphersuite Risk
Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2010:0978-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0978.html Issue date: 2010-12-13 CVE Names: CVE-2008-7270 CVE-2010-4180 ==================================================================== 1. Summary: Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting theSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack 660650 - CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: openssl-0.9.8e-12.el5_5.7.i386.rpm openssl-0.9.8e-12.el5_5.7.i686.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i386.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i686.rpm openssl-perl-0.9.8e-12.el5_5.7.i386.rpm x86_64: openssl-0.9.8e-12.el5_5.7.i686.rpm openssl-0.9.8e-12.el5_5.7.x86_64.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i686.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.x86_64.rpm openssl-perl-0.9.8e-12.el5_5.7.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: i386: openssl-debuginfo-0.9.8e-12.el5_5.7.i386.rpm openssl-devel-0.9.8e-12.el5_5.7.i386.rpm x86_64: openssl-debuginfo-0.9.8e-12.el5_5.7.i386.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.x86_64.rpm openssl-devel-0.9.8e-12.el5_5.7.i386.rpm openssl-devel-0.9.8e-12.el5_5.7.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: openssl-0.9.8e-12.el5_5.7.i386.rpm openssl-0.9.8e-12.el5_5.7.i686.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i386.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i686.rpm openssl-devel-0.9.8e-12.el5_5.7.i386.rpm openssl-perl-0.9.8e-12.el5_5.7.i386.rpm ia64: openssl-0.9.8e-12.el5_5.7.i686.rpm openssl-0.9.8e-12.el5_5.7.ia64.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i686.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.ia64.rpm openssl-devel-0.9.8e-12.el5_5.7.ia64.rpm openssl-perl-0.9.8e-12.el5_5.7.ia64.rpm ppc: openssl-0.9.8e-12.el5_5.7.ppc.rpm openssl-0.9.8e-12.el5_5.7.ppc64.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.ppc.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.ppc64.rpm openssl-devel-0.9.8e-12.el5_5.7.ppc.rpm openssl-devel-0.9.8e-12.el5_5.7.ppc64.rpm openssl-perl-0.9.8e-12.el5_5.7.ppc.rpm s390x: openssl-0.9.8e-12.el5_5.7.s390.rpm openssl-0.9.8e-12.el5_5.7.s390x.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.s390.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.s390x.rpm openssl-devel-0.9.8e-12.el5_5.7.s390.rpm openssl-devel-0.9.8e-12.el5_5.7.s390x.rpm openssl-perl-0.9.8e-12.el5_5.7.s390x.rpm x86_64: openssl-0.9.8e-12.el5_5.7.i686.rpm openssl-0.9.8e-12.el5_5.7.x86_64.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i386.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.i686.rpm openssl-debuginfo-0.9.8e-12.el5_5.7.x86_64.rpm openssl-devel-0.9.8e-12.el5_5.7.i386.rpm openssl-devel-0.9.8e-12.el5_5.7.x86_64.rpm openssl-perl-0.9.8e-12.el5_5.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2008-7270 https://access.redhat.com/security/cve/CVE-2010-4180 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4(GNU/Linux) iD8DBQFNBmlFXlSAg2UNWIIRArfgAKC08AtM/DdMUSwNoU5JHYOaPYJvcQCeJhh+ 6B6Gvl5F7ytAH5cKmTS+zxg=+Ub6 -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Dec 13, 2010
Red Hat
98
security advisorymoderatered hatRed Hat: RHSA-2010:0977 Moderate: OpenSSL Ciphersuite Downgrade Issue
Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2010:0977-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0977.html Issue date: 2010-12-13 CVE Names: CVE-2008-7270 CVE-2009-3245 CVE-2010-4180 ==================================================================== 1. Summary: Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming thesession. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could possibly crash an application using the OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 570924 - CVE-2009-3245 openssl: missing bn_wexpand return value checks 659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack 660650 - CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack 6. Package List: Red Hat Enterprise Linux AS version4: Source: i386: openssl-0.9.7a-43.17.el4_8.6.i386.rpm openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-perl-0.9.7a-43.17.el4_8.6.i386.rpm ia64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.ia64.rpm ppc: openssl-0.9.7a-43.17.el4_8.6.ppc.rpm openssl-0.9.7a-43.17.el4_8.6.ppc64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.ppc.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.ppc64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.ppc.rpm openssl-devel-0.9.7a-43.17.el4_8.6.ppc64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.ppc.rpm s390: openssl-0.9.7a-43.17.el4_8.6.s390.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.s390.rpm openssl-devel-0.9.7a-43.17.el4_8.6.s390.rpm openssl-perl-0.9.7a-43.17.el4_8.6.s390.rpm s390x: openssl-0.9.7a-43.17.el4_8.6.s390.rpm openssl-0.9.7a-43.17.el4_8.6.s390x.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.s390.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.s390x.rpm openssl-devel-0.9.7a-43.17.el4_8.6.s390.rpm openssl-devel-0.9.7a-43.17.el4_8.6.s390x.rpm openssl-perl-0.9.7a-43.17.el4_8.6.s390x.rpm x86_64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-devel-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.x86_64.rpm Red Hat Enterprise Linux Desktop version4: Source: i386: openssl-0.9.7a-43.17.el4_8.6.i386.rpm openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-perl-0.9.7a-43.17.el4_8.6.i386.rpm x86_64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-devel-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: i386: openssl-0.9.7a-43.17.el4_8.6.i386.rpm openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-perl-0.9.7a-43.17.el4_8.6.i386.rpm ia64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.ia64.rpm x86_64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-devel-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.x86_64.rpm Red Hat Enterprise Linux WS version4: Source: i386: openssl-0.9.7a-43.17.el4_8.6.i386.rpm openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-perl-0.9.7a-43.17.el4_8.6.i386.rpm ia64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.ia64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.ia64.rpm x86_64: openssl-0.9.7a-43.17.el4_8.6.i686.rpm openssl-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i386.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.i686.rpm openssl-debuginfo-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-devel-0.9.7a-43.17.el4_8.6.i386.rpm openssl-devel-0.9.7a-43.17.el4_8.6.x86_64.rpm openssl-perl-0.9.7a-43.17.el4_8.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2008-7270 https://access.redhat.com/security/cve/CVE-2009-3245 https://access.redhat.com/security/cve/CVE-2010-4180 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFNBmPdXlSAg2UNWIIRAhJ7AJ4udykIH04u4+SjeOtQtqP6ckm6gQCgxMQJ uHxijZs4kgRR0FnX+gzoPdU=5RLE -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Dec 13, 2010
Red Hat
98
security advisorymoderatesecurity updateRed Hat Enterprise Linux 6: RHSA-2010:0979-01 Moderate OpenSSL Cipher Issue
Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2010:0979-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0979.html Issue date: 2010-12-13 CVE Names: CVE-2010-4180 ==================================================================== 1. Summary: Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: i386: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm x86_64: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-1.0.0-4.el6_0.2.x86_64.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: i386: openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm openssl-perl-1.0.0-4.el6_0.2.i686.rpm openssl-static-1.0.0-4.el6_0.2.i686.rpm x86_64: openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.x86_64.rpm openssl-perl-1.0.0-4.el6_0.2.x86_64.rpm openssl-static-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: x86_64: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-1.0.0-4.el6_0.2.x86_64.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v.6): Source: x86_64: openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.x86_64.rpm openssl-perl-1.0.0-4.el6_0.2.x86_64.rpm openssl-static-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: i386: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm ppc64: openssl-1.0.0-4.el6_0.2.ppc.rpm openssl-1.0.0-4.el6_0.2.ppc64.rpm openssl-debuginfo-1.0.0-4.el6_0.2.ppc.rpm openssl-debuginfo-1.0.0-4.el6_0.2.ppc64.rpm openssl-devel-1.0.0-4.el6_0.2.ppc.rpm openssl-devel-1.0.0-4.el6_0.2.ppc64.rpm s390x: openssl-1.0.0-4.el6_0.2.s390.rpm openssl-1.0.0-4.el6_0.2.s390x.rpm openssl-debuginfo-1.0.0-4.el6_0.2.s390.rpm openssl-debuginfo-1.0.0-4.el6_0.2.s390x.rpm openssl-devel-1.0.0-4.el6_0.2.s390.rpm openssl-devel-1.0.0-4.el6_0.2.s390x.rpm x86_64: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-1.0.0-4.el6_0.2.x86_64.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: i386: openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-perl-1.0.0-4.el6_0.2.i686.rpm openssl-static-1.0.0-4.el6_0.2.i686.rpm ppc64: openssl-debuginfo-1.0.0-4.el6_0.2.ppc64.rpm openssl-perl-1.0.0-4.el6_0.2.ppc64.rpm openssl-static-1.0.0-4.el6_0.2.ppc64.rpm s390x: openssl-debuginfo-1.0.0-4.el6_0.2.s390x.rpm openssl-perl-1.0.0-4.el6_0.2.s390x.rpm openssl-static-1.0.0-4.el6_0.2.s390x.rpm x86_64: openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm openssl-perl-1.0.0-4.el6_0.2.x86_64.rpm openssl-static-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v.6): Source: i386: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm x86_64: openssl-1.0.0-4.el6_0.2.i686.rpm openssl-1.0.0-4.el6_0.2.x86_64.rpm openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm openssl-devel-1.0.0-4.el6_0.2.i686.rpm openssl-devel-1.0.0-4.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: i386: openssl-debuginfo-1.0.0-4.el6_0.2.i686.rpm openssl-perl-1.0.0-4.el6_0.2.i686.rpm openssl-static-1.0.0-4.el6_0.2.i686.rpm x86_64: openssl-debuginfo-1.0.0-4.el6_0.2.x86_64.rpm openssl-perl-1.0.0-4.el6_0.2.x86_64.rpm openssl-static-1.0.0-4.el6_0.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2010-4180 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2010 Red Hat, Inc. . Recent updates for OpenSSL packages have been released for Red Hat Enterprise Linux 6 to mitigate a moderate vulnerability associated with ciphersuite configurations.. OpenSSL Update, Red Hat Security, Linux Enterprise, Security Patch. . LinuxSecurity.com Team
Dec 13, 2010
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!