4.209. openssl

Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fixes

CVE-2011-4108
It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL leaked timing information when performing certain operations. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding oracle.
CVE-2011-4576
An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection.
CVE-2011-4577
A denial of service flaw was found in the RFC 3779 implementation in OpenSSL. A remote attacker could use this flaw to make an application using OpenSSL exit unexpectedly by providing a specially-crafted X.509 certificate that has malformed RFC 3779 extension data.
CVE-2011-4619
It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake.
All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fixes

CVE-2012-1165
A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages.
CVE-2012-0884
A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times.
This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail.
All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl, openssl097a, and openssl098e packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fix

CVE-2012-2110
Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fix

CVE-2012-2333
An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious DTLS client or server could use this flaw to crash its DTLS connection peer.
Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Codenomicon as the original reporter.
On Red Hat Enterprise Linux 6, this update also fixes an uninitialized variable use bug, introduced by the fix for CVE-2012-0884 (released via RHSA-2012:0426). This bug could possibly cause an attempt to create an encrypted message in the CMS (Cryptographic Message Syntax) format to fail.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix two bugs and add several enhancements are now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Bug Fixes

BZ#693863
Prior to this update, repeatedly loading and unloading the CHIL engine could cause the calling program to terminate unexpectedly with a segmentation fault. This happened, because a function pointer was not properly cleared after the engine was unloaded. With this update, the underlying source code has been corrected to clear the function pointer when the engine is unloaded, and the calling program no longer crashes in this scenario.
BZ#740188
Due to missing variable initialization, the CHIL engine could occasionally fail to load. This update corrects the underlying source code to properly initialize this variable so that the CHIL engine is no longer prevented from loading.

Enhancements

BZ#696389
The performance of the AES encryption algorithm on CPUs with the AES-NI instruction set, as well as SHA-1 and RC4 algorithms on 32-bit and 64-bit x86 architectures has been significantly improved.
BZ#708511
For testing purposes, the OpenSSL source RPM package can now be built without additional patches.
BZ#723994
Partial RELRO is now enabled during the build of the OpenSSL libraries to improve security vulnerability properties of applications that use these libraries.
BZ#726081
Users can now explicitly disable the built-in AES-NI (Advanced Encryption Standard New Instruction) CPU instruction acceleration support by setting the OPENSSL_DISABLE_AES_NI environment variable to any value.
BZ#740872
Prior to this update, there was no direct KAT (known answer test) self-test for the SHA-2 algorithms in FIPS mode; these algorithms were self-tested only during the HMAC self-tests. This update provides an implementation of the direct KAT self-test for SHA-2 algorithms.
BZ#693858
Previously, the manual and help pages for various subcommands of the openssl utility did not specify all digest algorithms. This update adapts these pages and users are now instructed to run the "openssl dgst -h" command, which lists all available digests.
All users of openssl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
An updated openssl package that fixes one bug is now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full strength general-purpose cryptography library.

Bug Fix

BZ#799256
The functions that implement Counter (CTR), Output Feedback (OFB), and Cipher Feedback (CFB) block cipher modes previously incorrectly reset the counter of the remaining bytes of a block that had not been used in the previous encryption or decryption operation. Consequently, calling the encryption function on a small amount of data, that was not aligned to the size of the block, led to incorrect data encryption or decryption in the aforementioned modes. An upstream patch has been applied to correct the underlying functions, and both encryption and decryption now work as expected in CTR, OFB, and CFB modes.
All users of openssl are advised to upgrade to this updated package, which fixes this bug.