Issued:
2009-09-02
Updated:
2009-09-02

RHSA-2009:1335 - Security Advisory

Synopsis

Moderate: openssl security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

Updated openssl packages that fix several security issues, various bugs,
and add enhancements are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a full-strength
general purpose cryptography library. Datagram TLS (DTLS) is a protocol
based on TLS that is capable of securing datagram transport (for example,
UDP).

Multiple denial of service flaws were discovered in OpenSSL's DTLS
implementation. A remote attacker could use these flaws to cause a DTLS
server to use excessive amounts of memory, or crash on an invalid memory
access or NULL pointer dereference. (CVE-2009-1377, CVE-2009-1378,
CVE-2009-1379, CVE-2009-1386, CVE-2009-1387)

Note: These flaws only affect applications that use DTLS. Red Hat does not
ship any DTLS client or server applications in Red Hat Enterprise Linux.

An input validation flaw was found in the handling of the BMPString and
UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex()
function. An attacker could use this flaw to create a specially-crafted
X.509 certificate that could cause applications using the affected function
to crash when printing certificate contents. (CVE-2009-0590)

Note: The affected function is rarely used. No application shipped with Red
Hat Enterprise Linux calls this function, for example.

These updated packages also fix the following bugs:

  • "openssl smime -verify -in" verifies the signature of the input file and
    the "-verify" switch expects a signed or encrypted input file. Previously,
    running openssl on an S/MIME file that was not encrypted or signed caused
    openssl to segfault. With this update, the input file is now checked for a
    signature or encryption. Consequently, openssl now returns an error and
    quits when attempting to verify an unencrypted or unsigned S/MIME file.
    (BZ#472440)
  • when generating RSA keys, pairwise tests were called even in non-FIPS
    mode. This prevented small keys from being generated. With this update,
    generating keys in non-FIPS mode no longer calls the pairwise tests and
    keys as small as 32-bits can be generated in this mode. Note: In FIPS mode,
    pairwise tests are still called and keys generated in this mode must still
    be 1024-bits or larger. (BZ#479817)

As well, these updated packages add the following enhancements:

  • both the libcrypto and libssl shared libraries, which are part of the
    OpenSSL FIPS module, are now checked for integrity on initialization of
    FIPS mode. (BZ#475798)
  • an issuing Certificate Authority (CA) allows multiple certificate
    templates to inherit the CA's Common Name (CN). Because this CN is used as
    a unique identifier, each template had to have its own Certificate
    Revocation List (CRL). With this update, multiple CRLs with the same
    subject name can now be stored in a X509_STORE structure, with their
    signature field being used to distinguish between them. (BZ#457134)
  • the fipscheck library is no longer needed for rebuilding the openssl
    source RPM. (BZ#475798)

OpenSSL users should upgrade to these updated packages, which resolve these
issues and add these enhancements.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 479817 - Do not call pairwise tests in non-FIPS mode
  • BZ - 492304 - CVE-2009-0590 openssl: ASN1 printing crash
  • BZ - 501253 - CVE-2009-1377 OpenSSL: DTLS epoch record buffer memory DoS
  • BZ - 501254 - CVE-2009-1378 OpenSSL: DTLS fragment handling memory DoS
  • BZ - 501572 - CVE-2009-1379 OpenSSL: DTLS pointer use-after-free flaw (DoS)
  • BZ - 503685 - CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec request
  • BZ - 503688 - CVE-2009-1387 openssl: DTLS out-of-sequence message handling NULL deref DoS

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
openssl-0.9.8e-12.el5.src.rpm SHA-256: 438cc8dc9f4aead42931e666c0d6b20b584357301187be3f02105881da8157a7
x86_64
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-0.9.8e-12.el5.x86_64.rpm SHA-256: 57f6483bf87ad1d48ac46cc5ab5960813c664222357b2227042cf656661b9a56
openssl-devel-0.9.8e-12.el5.i386.rpm SHA-256: 39e7d3ce330ee0b08edb8246a12e8969aee98a98e1f25e0281c93c73eb685db0
openssl-devel-0.9.8e-12.el5.x86_64.rpm SHA-256: ca2ef4c7e9c2717e8cc99186dd23862f8ded7db2cb379a4646ef6853a3d323d6
openssl-perl-0.9.8e-12.el5.x86_64.rpm SHA-256: 9ca9fe5fdf5cd7ffd41ea4e27a5296f544c685415128693ce1e121330ecd6cf6
ia64
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-0.9.8e-12.el5.ia64.rpm SHA-256: 2e48a70190ef3230912a6a4af1cbbba7dc3eb2cacd6a145d31491199ab5a34e7
openssl-devel-0.9.8e-12.el5.ia64.rpm SHA-256: b468f0e2ef1a3da573553255633a84c30df3a8f8c06b5bbaf29ada3e936de10a
openssl-perl-0.9.8e-12.el5.ia64.rpm SHA-256: b32ed5d084adc26e7f5088b0203e6417d833a016a31e661664edcdfe1d3701fc
i386
openssl-0.9.8e-12.el5.i386.rpm SHA-256: 03f605ce095a2c1f49f81460b3050ffd771a7f0139f93e755b96ed39847e2133
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-devel-0.9.8e-12.el5.i386.rpm SHA-256: 39e7d3ce330ee0b08edb8246a12e8969aee98a98e1f25e0281c93c73eb685db0
openssl-perl-0.9.8e-12.el5.i386.rpm SHA-256: 6a4b969173b516cb8c34d833b1af79b8d369d157663ef4eb8d9db4990e4c0627

Red Hat Enterprise Linux Workstation 5

SRPM
openssl-0.9.8e-12.el5.src.rpm SHA-256: 438cc8dc9f4aead42931e666c0d6b20b584357301187be3f02105881da8157a7
x86_64
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-0.9.8e-12.el5.x86_64.rpm SHA-256: 57f6483bf87ad1d48ac46cc5ab5960813c664222357b2227042cf656661b9a56
openssl-devel-0.9.8e-12.el5.i386.rpm SHA-256: 39e7d3ce330ee0b08edb8246a12e8969aee98a98e1f25e0281c93c73eb685db0
openssl-devel-0.9.8e-12.el5.x86_64.rpm SHA-256: ca2ef4c7e9c2717e8cc99186dd23862f8ded7db2cb379a4646ef6853a3d323d6
openssl-perl-0.9.8e-12.el5.x86_64.rpm SHA-256: 9ca9fe5fdf5cd7ffd41ea4e27a5296f544c685415128693ce1e121330ecd6cf6
i386
openssl-0.9.8e-12.el5.i386.rpm SHA-256: 03f605ce095a2c1f49f81460b3050ffd771a7f0139f93e755b96ed39847e2133
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-devel-0.9.8e-12.el5.i386.rpm SHA-256: 39e7d3ce330ee0b08edb8246a12e8969aee98a98e1f25e0281c93c73eb685db0
openssl-perl-0.9.8e-12.el5.i386.rpm SHA-256: 6a4b969173b516cb8c34d833b1af79b8d369d157663ef4eb8d9db4990e4c0627

Red Hat Enterprise Linux Desktop 5

SRPM
openssl-0.9.8e-12.el5.src.rpm SHA-256: 438cc8dc9f4aead42931e666c0d6b20b584357301187be3f02105881da8157a7
x86_64
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-0.9.8e-12.el5.x86_64.rpm SHA-256: 57f6483bf87ad1d48ac46cc5ab5960813c664222357b2227042cf656661b9a56
openssl-perl-0.9.8e-12.el5.x86_64.rpm SHA-256: 9ca9fe5fdf5cd7ffd41ea4e27a5296f544c685415128693ce1e121330ecd6cf6
i386
openssl-0.9.8e-12.el5.i386.rpm SHA-256: 03f605ce095a2c1f49f81460b3050ffd771a7f0139f93e755b96ed39847e2133
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-perl-0.9.8e-12.el5.i386.rpm SHA-256: 6a4b969173b516cb8c34d833b1af79b8d369d157663ef4eb8d9db4990e4c0627

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
openssl-0.9.8e-12.el5.src.rpm SHA-256: 438cc8dc9f4aead42931e666c0d6b20b584357301187be3f02105881da8157a7
s390x
openssl-0.9.8e-12.el5.s390.rpm SHA-256: 045ab24e7a44f1dd275872df3994723617f0295d028403573c3599ec5c82b998
openssl-0.9.8e-12.el5.s390x.rpm SHA-256: 7ad118c2b0ebef27c514a69bf895c18cd3f096466b342bd5ac7d2553bb069bd5
openssl-devel-0.9.8e-12.el5.s390.rpm SHA-256: 6e0eb98b9e6ff0516d25287e72ab888e1d99ffd5bc4caf501271cf760a1b0f14
openssl-devel-0.9.8e-12.el5.s390x.rpm SHA-256: 3b9b262000f2d8c5c574eec063d1a95e36cb42d2387c4a8d34b762b57b62b09d
openssl-perl-0.9.8e-12.el5.s390x.rpm SHA-256: 1706c292fa839fbec4fdff07a714aec2ecc189f0b322b1b25a2f6dd4ca9a5909

Red Hat Enterprise Linux for Power, big endian 5

SRPM
openssl-0.9.8e-12.el5.src.rpm SHA-256: 438cc8dc9f4aead42931e666c0d6b20b584357301187be3f02105881da8157a7
ppc
openssl-0.9.8e-12.el5.ppc.rpm SHA-256: a6205d5a7894d9bf18b724a0f755bc055c462a0da243cfbda5200e6b00101818
openssl-0.9.8e-12.el5.ppc64.rpm SHA-256: 9198549d91ab763eb238ed0bd4fffded97aee0f097149e723acf14e9bced21bb
openssl-devel-0.9.8e-12.el5.ppc.rpm SHA-256: 0a44dee8db7f6f5b4a4c263df6de8ecbdfc5e5d04f95c0b167e0dd55d31762b1
openssl-devel-0.9.8e-12.el5.ppc64.rpm SHA-256: 7a13427baa5eaa938f34aba2de9145d2ab9fb63d9c67cc6239bf14f2eea9d5bd
openssl-perl-0.9.8e-12.el5.ppc.rpm SHA-256: 7476e226480436c71e6ce1889ec01bf9f7e99a7130fad1366afd78b0fb788ec0

Red Hat Enterprise Linux Server from RHUI 5

SRPM
openssl-0.9.8e-12.el5.src.rpm SHA-256: 438cc8dc9f4aead42931e666c0d6b20b584357301187be3f02105881da8157a7
x86_64
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-0.9.8e-12.el5.x86_64.rpm SHA-256: 57f6483bf87ad1d48ac46cc5ab5960813c664222357b2227042cf656661b9a56
openssl-devel-0.9.8e-12.el5.i386.rpm SHA-256: 39e7d3ce330ee0b08edb8246a12e8969aee98a98e1f25e0281c93c73eb685db0
openssl-devel-0.9.8e-12.el5.x86_64.rpm SHA-256: ca2ef4c7e9c2717e8cc99186dd23862f8ded7db2cb379a4646ef6853a3d323d6
openssl-perl-0.9.8e-12.el5.x86_64.rpm SHA-256: 9ca9fe5fdf5cd7ffd41ea4e27a5296f544c685415128693ce1e121330ecd6cf6
i386
openssl-0.9.8e-12.el5.i386.rpm SHA-256: 03f605ce095a2c1f49f81460b3050ffd771a7f0139f93e755b96ed39847e2133
openssl-0.9.8e-12.el5.i686.rpm SHA-256: 6b2356601f7469af9c140b3fed224e3f09d607ba479bb7068af7fdccbea0d234
openssl-devel-0.9.8e-12.el5.i386.rpm SHA-256: 39e7d3ce330ee0b08edb8246a12e8969aee98a98e1f25e0281c93c73eb685db0
openssl-perl-0.9.8e-12.el5.i386.rpm SHA-256: 6a4b969173b516cb8c34d833b1af79b8d369d157663ef4eb8d9db4990e4c0627

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.