RHSA-2013:0587: Moderate: openssl security update
First published: Mon Mar 04 2013(Updated: )
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)<br>and Transport Layer Security (TLS v1) protocols, as well as a<br>full-strength, general purpose cryptography library.<br>It was discovered that OpenSSL leaked timing information when decrypting<br>TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites<br>were used. A remote attacker could possibly use this flaw to retrieve plain<br>text from the encrypted packets by using a TLS/SSL or DTLS server as a<br>padding oracle. (CVE-2013-0169)<br>A NULL pointer dereference flaw was found in the OCSP response verification<br>in OpenSSL. A malicious OCSP server could use this flaw to crash<br>applications performing OCSP verification by sending a specially-crafted<br>response. (CVE-2013-0166)<br>It was discovered that the TLS/SSL protocol could leak information about<br>plain text when optional compression was used. An attacker able to control<br>part of the plain text sent over an encrypted TLS/SSL connection could<br>possibly use this flaw to recover other portions of the plain text.<br>(CVE-2012-4929)<br>Note: This update disables zlib compression, which was previously enabled<br>in OpenSSL by default. Applications using OpenSSL now need to explicitly<br>enable zlib compression to use it.<br>It was found that OpenSSL read certain environment variables even when used<br>by a privileged (setuid or setgid) application. A local attacker could use<br>this flaw to escalate their privileges. No application shipped with Red Hat<br>Enterprise Linux 5 and 6 was affected by this problem. (BZ#839735)<br>All OpenSSL users should upgrade to these updated packages, which contain<br>backported patches to resolve these issues. For the update to take effect,<br>all services linked to the OpenSSL library must be restarted, or the<br>system rebooted.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openssl | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-debuginfo | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-debuginfo | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-devel | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-devel | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-perl | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-static | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-perl | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl-static | <1.0.0-27.el6_4.2 | 1.0.0-27.el6_4.2 |
| redhat/openssl | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl-debuginfo | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl-debuginfo | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl-devel | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl-devel | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl-perl | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
| redhat/openssl-perl | <0.9.8e-26.el5_9.1 | 0.9.8e-26.el5_9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=839735
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=857051
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=907589
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=908052
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/errata/RHSA-2013:0587 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2013:0587?
The severity of RHSA-2013:0587 is considered moderate due to the timing information leak in OpenSSL.
How do I fix RHSA-2013:0587?
To fix RHSA-2013:0587, you should update OpenSSL to version 1.0.0-27.el6_4.2 or 0.9.8e-26.el5_9.1 depending on your operating system.
What versions of OpenSSL are affected by RHSA-2013:0587?
RHSA-2013:0587 affects OpenSSL versions prior to 1.0.0-27.el6_4.2 and 0.9.8e-26.el5_9.1.
What specific packages are impacted by RHSA-2013:0587?
RHSA-2013:0587 impacts the OpenSSL, OpenSSL-debuginfo, OpenSSL-devel, and OpenSSL-perl packages.
Is there a known exploit for RHSA-2013:0587?
There is no specific known exploit associated with RHSA-2013:0587, but the vulnerability could potentially be leveraged in targeted attacks.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- anchor-id/RHSA-2013:0587
- package-manager/redhat