| Revision Date: | 2007-10-22 | Version: | 632 |
| Title: | RHSA-2007:0813: openssl security update (Moderate) |
| Description: | OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-5135). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging.
A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches designed to mitigate these issues. (CVE-2007-3108).
Users of OpenSSL should upgrade to these updated packages, which contain backported patches to resolve these issues.
Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | CVE-2007-3108
CVE-2007-5135
RHSA-2007:0813
RHSA-2007:0813-01
RHSA-2007:0813-01
|
| Platform(s): | Red Hat Enterprise Linux 3
| Product(s): | |
| Definition Synopsis |
| Red Hat Enterprise Linux must be installed OR Package Information
Red Hat Enterprise Linux 3 is installed
AND
openssl-devel is earlier than 0:0.9.7a-33.24
AND openssl-devel is signed with Red Hat master key
openssl-perl is earlier than 0:0.9.7a-33.24
AND openssl-perl is signed with Red Hat master key
openssl is earlier than 0:0.9.7a-33.24
AND openssl is signed with Red Hat master key
|