Synopsis

Moderate: openssl097a security update

Type/Severity

Security Advisory: Moderate

Topic

Updated openssl097a packages that fix a security issue are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update addresses this flaw by implementing the
TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about
this flaw: http://kbase.redhat.com/faq/docs/DOC-20491

All openssl097a users should upgrade to these updated packages, which
contain a backported patch to resolve this issue. For the update to take
effect, all services linked to the openssl097a library must be restarted,
or the system rebooted.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Server - Extended Update Support 5.4 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 5.4 ia64
• Red Hat Enterprise Linux Server - Extended Update Support 5.4 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation

CVEs

• CVE-2009-3555

References

• http://www.redhat.com/security/updates/classification/#moderate
• http://kbase.redhat.com/faq/docs/DOC-20491
• http://kbase.redhat.com/faq/docs/DOC-26039

Red Hat Enterprise Linux Server 5

SRPM
openssl097a-0.9.7a-9.el5_4.2.src.rpm	SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
x86_64
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm	SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
ia64
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.ia64.rpm	SHA-256: 9a36fcc277f26dd42daf2141ecc1a27cb9a52a1fa699557983321a8b7679ea7b
i386
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317

Red Hat Enterprise Linux Workstation 5

SRPM
openssl097a-0.9.7a-9.el5_4.2.src.rpm	SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
x86_64
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm	SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
i386
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317

Red Hat Enterprise Linux Desktop 5

SRPM
openssl097a-0.9.7a-9.el5_4.2.src.rpm	SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
x86_64
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm	SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
i386
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
openssl097a-0.9.7a-9.el5_4.2.src.rpm	SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
s390x
openssl097a-0.9.7a-9.el5_4.2.s390.rpm	SHA-256: bf5f104847cbbdb4fc8ec11eb3cfb5287d89ef599457637f6b15fce875225328
openssl097a-0.9.7a-9.el5_4.2.s390x.rpm	SHA-256: 859aa30cb60ff1471f6165adbf7fbddc757f8ad5e6436ca0d4d07b31165fd766

Red Hat Enterprise Linux for Power, big endian 5

SRPM
openssl097a-0.9.7a-9.el5_4.2.src.rpm	SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
ppc
openssl097a-0.9.7a-9.el5_4.2.ppc.rpm	SHA-256: 7d13603f4d233e62604920e957eba3bdbb7d2d0dd095c4f39617ce5f0050b7f9
openssl097a-0.9.7a-9.el5_4.2.ppc64.rpm	SHA-256: b646532637a72f6ed26286d74b2e349a81af1b4127733c94ee4a50cc3fd8251c

Red Hat Enterprise Linux Server from RHUI 5

SRPM
openssl097a-0.9.7a-9.el5_4.2.src.rpm	SHA-256: 70e0f0a7ea2dd0c8fc39393696d7adf2ea1e9ab92288872e00c7c478a0a7a3d8
x86_64
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm	SHA-256: a29f8c8edfc6850b18fc91cf77144af0509c795ee4ac69df3d363baa312a6548
i386
openssl097a-0.9.7a-9.el5_4.2.i386.rpm	SHA-256: deff1da33aa029a54b13f79fe579caeeb44ebd806eb39ef7a2c645fdceb09317