- Issued:
- 2011-07-21
- Updated:
- 2011-07-21
RHBA-2011:1010 - Bug Fix Advisory
Synopsis
openssl bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated openssl packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 5.
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.
This update fixes the following bugs:
- Prior to this update, the "s_server" command refused to handle connections
from clients with an unresolvable IP address and terminated with this error
message: "getnameinfo failed". This problem has been fixed: the "s_server"
command now does not terminate even if the IP address of the client is not
resolvable. (BZ#561260)
- Prior to this update, the openssl packages were not fully compliant with the
TLS protocol. As a consequence, the system did not accept a connection from a
client indicating that it supports the TLS protocol version 4.1. With this
update, the server now accepts connections from such clients, which fixes the
problem. (BZ#599112)
- Prior to this update, repeatedly loading and unloading the CHIL engine by a
calling program caused the calling program to terminate unexpectedly due to a
function pointer not being cleared after the engine was unloaded. This bug has
been fixed, and the calling program does not crash anymore. (BZ#622003)
- Prior to this update, a check for a weak public key was missing while the
Diffie-Hellman key was computed. With this update, the DH_check_pub_key()
function call has been added to the DH_compute_key() function, which solves this
low impact problem. (BZ#698175)
- The CHIL Engine is used to access Thales or nCipher hardware devices. Prior to
this update, when attempting to load the CHIL engine into the openssl utility,
the CHIL engine required thread locking callbacks to be set regardless of
whether the calling program was multithreaded. With this update, this unexpected
requirement has been removed. (BZ#671484)
- Prior to this update, when running a multithreaded OpenSSL client application
that tried to connect to a server simultaneously with multiple threads, a TLS
protocol error could have occurred. This bug has been fixed in this update and
no longer occurs. (BZ#688901)
In addition, this update provides the following enhancements:
- Prior to this update, manual and help pages for various sub-commands of the
openssl utility did not specify all the digest algorithms. With this update, the
aforementioned pages have been modified, and users are now pointed to the
"openssl dgst -h" command that lists all the available digests. (BZ#608639)
- The StartCom Free SSL Certification Authority and VeriSign Class 3 Public
Primary Certification Authority - G5 certificates were added to the
/etc/pki/tls/certs/ca-bundle.crt file that contains the certificates of trusted
certification authorities. (BZ#675671, BZ#617856)
- The support for peer certificates that use the SHA-256 and SHA-512 hashing
algorithms is now enabled by default even if the application calls only the
SSL_library_init() function without the OpenSSL_add_all_algorithms() call.
(BZ#676384)
All users of OpenSSL should upgrade to these updated packages, which fix these
bugs and add these enhancements.
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 561260 - s_server quits when receiving a connection from an unresolvable IP
- BZ - 599112 - openssl-0.9.8e-12.el5_4.6 is TLS non-compliant (version intolerance)
- BZ - 608639 - man pages and help text do not list all digests
- BZ - 622003 - Calling program crashes when loading OpenSSL CHIL Engine twice
- BZ - 671484 - Backport OpenSSL RT #1736, CHIL Engine thread lock upcall management
- BZ - 675671 - Root CA cert bundle is missing "VeriSign Class 3 Public Primary Certification Authority - G5" cert
- BZ - 676384 - OpenSSL / PAM & NSS_LDAP / SUDO fail TLS_CHECKPEER with Cipher AES256-SHA
- BZ - 688901 - occasional 502 errors on httpd load balancer
- BZ - 698175 - Add call to DH_check_pub_key() in DH_compute_key() by Diffie-Hellman key exchange
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
| SRPM | |
|---|---|
| openssl-0.9.8e-20.el5.src.rpm | SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7 |
| x86_64 | |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 6f9c4ce37e97928c83a66e1a6709c35eee0acacd7cd0e0e1e64b76de421da172 |
| openssl-devel-0.9.8e-20.el5.i386.rpm | SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b |
| openssl-devel-0.9.8e-20.el5.x86_64.rpm | SHA-256: ab30ccc6ec67122a74123c73cdcfd96a4dec839804f5b2e091d7a529b3f7915f |
| openssl-perl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 8c172fa63e17e4ba2c7de6fc914057264f38fcce6804ed2d9847db13d32c96ee |
| ia64 | |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-0.9.8e-20.el5.ia64.rpm | SHA-256: 06b7a99cf33579270e10a5ce584594c2a857cf639c9fd6d6807fc86311fc8848 |
| openssl-devel-0.9.8e-20.el5.ia64.rpm | SHA-256: e1f2b4e2d46b0b444f301ce367536012381722f8ad8652d5e21ea5980fff3108 |
| openssl-perl-0.9.8e-20.el5.ia64.rpm | SHA-256: 2e036de0f3c0ac947d2de314a8640bcf2e05fb1471c9d166a4d5a23fde872ccc |
| i386 | |
| openssl-0.9.8e-20.el5.i386.rpm | SHA-256: 76311967f16e42492255c4550dc02f012df9594700b16d5b3cd4194e9d2ef18d |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-devel-0.9.8e-20.el5.i386.rpm | SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b |
| openssl-perl-0.9.8e-20.el5.i386.rpm | SHA-256: 348a9802335d26d8293e54f73ba8f4edd89270ce9e07afcb2ea8165e01f7e71c |
Red Hat Enterprise Linux Workstation 5
| SRPM | |
|---|---|
| openssl-0.9.8e-20.el5.src.rpm | SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7 |
| x86_64 | |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 6f9c4ce37e97928c83a66e1a6709c35eee0acacd7cd0e0e1e64b76de421da172 |
| openssl-devel-0.9.8e-20.el5.i386.rpm | SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b |
| openssl-devel-0.9.8e-20.el5.x86_64.rpm | SHA-256: ab30ccc6ec67122a74123c73cdcfd96a4dec839804f5b2e091d7a529b3f7915f |
| openssl-perl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 8c172fa63e17e4ba2c7de6fc914057264f38fcce6804ed2d9847db13d32c96ee |
| i386 | |
| openssl-0.9.8e-20.el5.i386.rpm | SHA-256: 76311967f16e42492255c4550dc02f012df9594700b16d5b3cd4194e9d2ef18d |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-devel-0.9.8e-20.el5.i386.rpm | SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b |
| openssl-perl-0.9.8e-20.el5.i386.rpm | SHA-256: 348a9802335d26d8293e54f73ba8f4edd89270ce9e07afcb2ea8165e01f7e71c |
Red Hat Enterprise Linux Desktop 5
| SRPM | |
|---|---|
| openssl-0.9.8e-20.el5.src.rpm | SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7 |
| x86_64 | |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 6f9c4ce37e97928c83a66e1a6709c35eee0acacd7cd0e0e1e64b76de421da172 |
| openssl-perl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 8c172fa63e17e4ba2c7de6fc914057264f38fcce6804ed2d9847db13d32c96ee |
| i386 | |
| openssl-0.9.8e-20.el5.i386.rpm | SHA-256: 76311967f16e42492255c4550dc02f012df9594700b16d5b3cd4194e9d2ef18d |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-perl-0.9.8e-20.el5.i386.rpm | SHA-256: 348a9802335d26d8293e54f73ba8f4edd89270ce9e07afcb2ea8165e01f7e71c |
Red Hat Enterprise Linux for IBM z Systems 5
| SRPM | |
|---|---|
| openssl-0.9.8e-20.el5.src.rpm | SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7 |
| s390x | |
| openssl-0.9.8e-20.el5.s390.rpm | SHA-256: 51d1a52d7eeac571f95ff1acccf0357669b4c08690a0350f8a6475f708c780e4 |
| openssl-0.9.8e-20.el5.s390x.rpm | SHA-256: a574916394431aab0b431f9bbdd83a8c9b47dfe387a4617141732d744880eb72 |
| openssl-devel-0.9.8e-20.el5.s390.rpm | SHA-256: 562dd02354db4b9d1f09899c4907860d4f5b7f42e8f3708da406009505043eb7 |
| openssl-devel-0.9.8e-20.el5.s390x.rpm | SHA-256: 8b53b3308eae4c85cad37b080cf9ba42cde5c493c6177a06b28480a6c74ba97e |
| openssl-perl-0.9.8e-20.el5.s390x.rpm | SHA-256: 51c25f8200349fa72926544df5618db2c4fcef4940cf65b3d425f2f934108d2d |
Red Hat Enterprise Linux for Power, big endian 5
| SRPM | |
|---|---|
| openssl-0.9.8e-20.el5.src.rpm | SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7 |
| ppc | |
| openssl-0.9.8e-20.el5.ppc.rpm | SHA-256: d63f1e5b64e9c725a397b1c84cf048aa86975ccdbfc38c6dcbb1887d129e599b |
| openssl-0.9.8e-20.el5.ppc64.rpm | SHA-256: 5be573fc2122a61a2215376fa70ca4dfbed6727811cc67abfe022beed6e4d5f2 |
| openssl-devel-0.9.8e-20.el5.ppc.rpm | SHA-256: 71311565c7d958477a694d18dd8ff4a50a87b79297beabe4628a4e0a34878746 |
| openssl-devel-0.9.8e-20.el5.ppc64.rpm | SHA-256: 900c1db539f585d5c6be5900cd12f9a8c764a15b337d91ed2b71f006633974af |
| openssl-perl-0.9.8e-20.el5.ppc.rpm | SHA-256: a22450a7b5aa8a651c04dd91dfa5eb0f03f7a7a88e3e115b55999f8c03d03b8e |
Red Hat Enterprise Linux Server from RHUI 5
| SRPM | |
|---|---|
| openssl-0.9.8e-20.el5.src.rpm | SHA-256: 76781165dc28f7edbbda8b6002a1c4d88a05eaeb8deaf6dad9426b2fd27ea7b7 |
| x86_64 | |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 6f9c4ce37e97928c83a66e1a6709c35eee0acacd7cd0e0e1e64b76de421da172 |
| openssl-devel-0.9.8e-20.el5.i386.rpm | SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b |
| openssl-devel-0.9.8e-20.el5.x86_64.rpm | SHA-256: ab30ccc6ec67122a74123c73cdcfd96a4dec839804f5b2e091d7a529b3f7915f |
| openssl-perl-0.9.8e-20.el5.x86_64.rpm | SHA-256: 8c172fa63e17e4ba2c7de6fc914057264f38fcce6804ed2d9847db13d32c96ee |
| i386 | |
| openssl-0.9.8e-20.el5.i386.rpm | SHA-256: 76311967f16e42492255c4550dc02f012df9594700b16d5b3cd4194e9d2ef18d |
| openssl-0.9.8e-20.el5.i686.rpm | SHA-256: 5bf36628fd808b62164c184af5a9a3738ffc6e8a1d28f34d97f811a1e0615786 |
| openssl-devel-0.9.8e-20.el5.i386.rpm | SHA-256: 6552ed7c1cb868d628a8522693b8ee5a6661552ede53ccf345a5e2b80f3b988b |
| openssl-perl-0.9.8e-20.el5.i386.rpm | SHA-256: 348a9802335d26d8293e54f73ba8f4edd89270ce9e07afcb2ea8165e01f7e71c |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
