Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2016:2073 - Security Advisory
Issued:
2016-10-18
Updated:
2016-10-18

RHSA-2016:2073 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: openssl security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openssl is now available for Red Hat Enterprise Linux 6.7 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

  • A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108)
  • Two integer overflow flaws, leading to buffer overflows, were found in the way the EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed very large amounts of input data. A remote attacker could use these flaws to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105, CVE-2016-2106)
  • It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2016-2107)
  • Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application. (CVE-2016-0799, CVE-2016-2842)
  • A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799. Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, and CVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.7 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.7 i386
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.7 s390x
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.7 ppc64
  • Red Hat Enterprise Linux EUS Compute Node 6.7 x86_64
  • Red Hat Enterprise Linux for SAP Solutions for x86_64 - Extended Update Support 6.7 x86_64

Fixes

  • BZ - 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
  • BZ - 1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds
  • BZ - 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
  • BZ - 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder
  • BZ - 1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
  • BZ - 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
  • BZ - 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow

CVEs

  • CVE-2016-0799
  • CVE-2016-2105
  • CVE-2016-2106
  • CVE-2016-2107
  • CVE-2016-2108
  • CVE-2016-2109
  • CVE-2016-2842

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.7

SRPM
openssl-1.0.1e-42.el6_7.5.src.rpm SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c
x86_64
openssl-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73
openssl-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 75f214edc3107de2462ee82a2b790ee1a3f8c8c4922340d89f771233e3eb6ea6
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b
openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b
openssl-devel-1.0.1e-42.el6_7.5.i686.rpm SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069
openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 15946bb4bda18fa516d8b2a9c9695087b31022f9b99a80bf9fa6ca49cfdd84de
openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 497b8dcc8e74f5563a7779f2b09a25f2a63b65e7cece3f3d77df278a5b4f94a5
openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 74f423f4371d78a4f7d2e089e4bebb2cb6a15c0e31aa647fbdc43028f8851d25
i386
openssl-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-devel-1.0.1e-42.el6_7.5.i686.rpm SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069
openssl-perl-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 6ce53f4157afbf3c7e6998c1b5cafa2154e54b437a9834cb3737ac9b497a36e1
openssl-static-1.0.1e-42.el6_7.5.i686.rpm SHA-256: f73dd7d146f301687bb75292d98aff63f29ca52e50bcac69bfb81b0585e2785f

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.7

SRPM
openssl-1.0.1e-42.el6_7.5.src.rpm SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c
s390x
openssl-1.0.1e-42.el6_7.5.s390.rpm SHA-256: 50c8c5cd64e72a8459553beed4dffe3fc564203824c5fc64d1f9d2aa1d8fee05
openssl-1.0.1e-42.el6_7.5.s390x.rpm SHA-256: a67ff7592297e8bcb28f6d3b2b20d5aae256bf33f466a587aac5d693dcd5755d
openssl-debuginfo-1.0.1e-42.el6_7.5.s390.rpm SHA-256: 249f5b02580eb3c009b854225ad8b821d058785c189186502976a347fcf956e6
openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm SHA-256: 19cbe27a1d2a5b86866b660a93c8ec38151b88ecc653231bfa556af7ff6228cb
openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm SHA-256: 19cbe27a1d2a5b86866b660a93c8ec38151b88ecc653231bfa556af7ff6228cb
openssl-devel-1.0.1e-42.el6_7.5.s390.rpm SHA-256: 113bf5ab2de457a71d2c8b0960553677562d92a0427a647dbb9037bf14656b0e
openssl-devel-1.0.1e-42.el6_7.5.s390x.rpm SHA-256: 4e87879e27924c303db690f4fb2d48c3a2e78143c5a2091a644fe76a7cb33189
openssl-perl-1.0.1e-42.el6_7.5.s390x.rpm SHA-256: 89a943afdb385785bef11a05ac17accf688c69555d527cc070a20ec0754e670e
openssl-static-1.0.1e-42.el6_7.5.s390x.rpm SHA-256: 242faa58b512c13bb5c30a4abd9058e6051758ded923019795800fd7a73bc80c

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.7

SRPM
openssl-1.0.1e-42.el6_7.5.src.rpm SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c
ppc64
openssl-1.0.1e-42.el6_7.5.ppc.rpm SHA-256: 22741c8de5de710adf566993daac53a02367fbd6098380f4ce5f74eca24873b0
openssl-1.0.1e-42.el6_7.5.ppc64.rpm SHA-256: 6ea58950e5b6a775d132bbb218b2b6b747658b8bab9788f05e92cdfcee96ba8f
openssl-debuginfo-1.0.1e-42.el6_7.5.ppc.rpm SHA-256: 55015ec5a98f38441c2921edf789da14239cca674547a6fedaf7fe8984fb0d81
openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm SHA-256: cb37ec839ea6bda905fb1f3ef0615c640a7c6c8ff5f22d07ce2f164b4f71a025
openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm SHA-256: cb37ec839ea6bda905fb1f3ef0615c640a7c6c8ff5f22d07ce2f164b4f71a025
openssl-devel-1.0.1e-42.el6_7.5.ppc.rpm SHA-256: f06c3832920c086df7ef1c6ef87a6137b3644486484fb22438cd7ef270b2c71d
openssl-devel-1.0.1e-42.el6_7.5.ppc64.rpm SHA-256: d71888e97d397d29c913b7ad17483279a1af9109d7f5876c9a85e759fbb84b88
openssl-perl-1.0.1e-42.el6_7.5.ppc64.rpm SHA-256: 35739470ca0b02c076b4d55f6b864d773668e67d2c5bf2e7d9a708f320610e9b
openssl-static-1.0.1e-42.el6_7.5.ppc64.rpm SHA-256: 11e3e866f579e641be1ac9120b010c398e9bfebfe0aac1d26e14e3e861c399f6

Red Hat Enterprise Linux EUS Compute Node 6.7

SRPM
openssl-1.0.1e-42.el6_7.5.src.rpm SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c
x86_64
openssl-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73
openssl-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 75f214edc3107de2462ee82a2b790ee1a3f8c8c4922340d89f771233e3eb6ea6
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b
openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b
openssl-devel-1.0.1e-42.el6_7.5.i686.rpm SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069
openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 15946bb4bda18fa516d8b2a9c9695087b31022f9b99a80bf9fa6ca49cfdd84de
openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 497b8dcc8e74f5563a7779f2b09a25f2a63b65e7cece3f3d77df278a5b4f94a5
openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 74f423f4371d78a4f7d2e089e4bebb2cb6a15c0e31aa647fbdc43028f8851d25

Red Hat Enterprise Linux for SAP Solutions for x86_64 - Extended Update Support 6.7

SRPM
openssl-1.0.1e-42.el6_7.5.src.rpm SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c
x86_64
openssl-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73
openssl-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 75f214edc3107de2462ee82a2b790ee1a3f8c8c4922340d89f771233e3eb6ea6
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b
openssl-devel-1.0.1e-42.el6_7.5.i686.rpm SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069
openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm SHA-256: 15946bb4bda18fa516d8b2a9c9695087b31022f9b99a80bf9fa6ca49cfdd84de

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter