RHBA-2011:1058 - Bug Fix Advisory

Topic

An updated m2crypto package that fixes various bugs is now available for Red Hat
Enterprise Linux 5.

Description

m2crypto allows OpenSSL functions to be called from Python scripts.

This updated m2crypto package includes fixes for the following bugs:

• Prior to this update, the AES_crypt() function did not free a temporary

buffer. This caused a memory leak when the function was called repeatedly. This
problem has been fixed and the AES_crypt() function now frees memory correctly.
(BZ#659881)

• Previously, calling the m.2asn1_INTEGER_get() function resulted in an

incorrect numerical value for the serial number due to a data type mismatch. As
a consequence, the subscription-manager application displayed an error message
about the serial number being less than zero. Serial numbers are now handled
correctly and no error message appears. (BZ#703648)

All users of m2crypto are advised to upgrade to this updated package, which
resolves these bugs.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 659881 - Memory leak in m2crypto-0.16/SWIG/_aes.i: AES_crypt
• BZ - 703648 - x509 certs can not have serial numbers larger than python int

CVEs

(none)

References

(none)