Issued:
2020-04-28
Updated:
2020-04-28

RHSA-2020:1840 - Security Advisory

Synopsis

Moderate: openssl security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update for openssl is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

  • openssl: side-channel weak encryption vulnerability (CVE-2019-1547)
  • openssl: information disclosure in fork() (CVE-2019-1549)
  • openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 1735738 - openssl speed reports errors in FIPS mode
  • BZ - 1741285 - TLS 1.2 CCM ciphers are not recognised in FIPS mode
  • BZ - 1741317 - 1024 bit DSA key generation is not disabled in FIPS mode
  • BZ - 1741641 - OpenSSL will sign ServerKeyExchange message with SHA-1 in FIPS mode
  • BZ - 1749068 - OpenSSL generates malformed status_request extension in CertificateRequest message in TLS 1.3
  • BZ - 1749790 - OpenSSL advertises ed25519 and ed448 support in CertificateRequest in FIPS mode
  • BZ - 1752090 - CVE-2019-1547 openssl: side-channel weak encryption vulnerability
  • BZ - 1752095 - CVE-2019-1549 openssl: information disclosure in fork()
  • BZ - 1752100 - CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey
  • BZ - 1758587 - OpenSSL will send unexpected alert for too short ciphertext with specific ciphersuites [rhel-8]
  • BZ - 1793984 - [RHEL 8][s390x] Restore modified SIGILL signal handler during libcrypto library initialisation

CVEs

References

Red Hat Enterprise Linux for x86_64 8

SRPM
openssl-1.1.1c-15.el8.src.rpm SHA-256: 894fbd3a3b565bae93925fe532136b35fd5fb04f13f906547a7c93c121b971f9
x86_64
openssl-1.1.1c-15.el8.x86_64.rpm SHA-256: 3e792adef13b24f2f5d66e38e018a965193f89b6fed4ea1437ca701d422bee5b
openssl-debuginfo-1.1.1c-15.el8.i686.rpm SHA-256: 0cd047aaa879fb660c1f9be0f727432a760108a33506578d5a552def6d6695cf
openssl-debuginfo-1.1.1c-15.el8.x86_64.rpm SHA-256: 83591b0b4bf5ee63aac95b64f3b8b5ab271075aae0d54bb6af1f6a779be53be2
openssl-debugsource-1.1.1c-15.el8.i686.rpm SHA-256: f638ddd75d1cfeb320d6ea402f10b02ae4f3c18f25e9745469cb47c56d41dbb8
openssl-debugsource-1.1.1c-15.el8.x86_64.rpm SHA-256: 62df4c8c20fc99374aa8e86cb6e0243db498692d568ccd5d274b1bb4459a9b64
openssl-devel-1.1.1c-15.el8.i686.rpm SHA-256: 14b156351e38a97f5cc22e81362e6be64d0327aaf202d300f864ca62f6cfb17e
openssl-devel-1.1.1c-15.el8.x86_64.rpm SHA-256: 42af93805445b22c41a731891d948ecea8c5e45d85999f9dd937a70dd670549a
openssl-libs-1.1.1c-15.el8.i686.rpm SHA-256: cb4c5fcfebc9aab008c290ab201c327ac65cadcce87b572b1fd01fa6b74e1beb
openssl-libs-1.1.1c-15.el8.x86_64.rpm SHA-256: 9c7486ee9f7f227cc8b9a928bc1b3ec0128e6fa654c11caaab67490000046280
openssl-libs-debuginfo-1.1.1c-15.el8.i686.rpm SHA-256: d681f94247cb079ad6b547d20806ba32834d89ce2ed0153e9a1f55dd7f4c96d6
openssl-libs-debuginfo-1.1.1c-15.el8.x86_64.rpm SHA-256: ea627876710a77fd1f42e9e2a3deeabedb5374edc95bf300a77303d2552af039
openssl-perl-1.1.1c-15.el8.x86_64.rpm SHA-256: 453046cf9c3ece19bd849887b6e20916c65a2f82e5b43e12bec0a12b9c76708d

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
openssl-1.1.1c-15.el8.src.rpm SHA-256: 894fbd3a3b565bae93925fe532136b35fd5fb04f13f906547a7c93c121b971f9
s390x
openssl-1.1.1c-15.el8.s390x.rpm SHA-256: 55f735aea8ee2737fa63ebf25d27258f93ad119733a3389bfb8ea37ce140725f
openssl-debuginfo-1.1.1c-15.el8.s390x.rpm SHA-256: 9315ce133125c885af73a3136ea2cf6454dc048549cdfb76a17daa260d751b76
openssl-debugsource-1.1.1c-15.el8.s390x.rpm SHA-256: f680783d38d4873a20969f08a23255cb5de5c5f900bbab267e22f990d1e22fd3
openssl-devel-1.1.1c-15.el8.s390x.rpm SHA-256: 1b4850f7f153291efcf67a99b5a1c82931a8db43256af5db58f1164de582f002
openssl-libs-1.1.1c-15.el8.s390x.rpm SHA-256: 6d55aefe2ee59069d22514604c47da81d2638d219fed6e7ea086b0ce64e8c2c0
openssl-libs-debuginfo-1.1.1c-15.el8.s390x.rpm SHA-256: 9928cea024dd0dbe41da7db59619222617d5c0e4ac7f6ccc719fc7d395a2d522
openssl-perl-1.1.1c-15.el8.s390x.rpm SHA-256: b8594d14b1f67af714da7fe18a14c388797d57e7e6b9eac458dccfd8c63ad9b1

Red Hat Enterprise Linux for Power, little endian 8

SRPM
openssl-1.1.1c-15.el8.src.rpm SHA-256: 894fbd3a3b565bae93925fe532136b35fd5fb04f13f906547a7c93c121b971f9
ppc64le
openssl-1.1.1c-15.el8.ppc64le.rpm SHA-256: 18ce56111991b3a74c9700c33fdf2855d1beea8bcfd88f8a3243699b93bf1c90
openssl-debuginfo-1.1.1c-15.el8.ppc64le.rpm SHA-256: 63f0dd42ad51ba0ca0d9e25cd75cb273e9ac84cc2a49a7c73bc161e72c5c5f7f
openssl-debugsource-1.1.1c-15.el8.ppc64le.rpm SHA-256: cf3fa92f211d3c40ff629e6b303ad605e37d8bb60187eb2347c83a93b435a2f5
openssl-devel-1.1.1c-15.el8.ppc64le.rpm SHA-256: 361eb2a605688836af3e0e8016fc8ab8a711c20e7c38f33f004b99efd8d73cbb
openssl-libs-1.1.1c-15.el8.ppc64le.rpm SHA-256: b26a19e3526f8b00580a1437f9f03dc8601c89b9a309a85e28528ccee23ff1b2
openssl-libs-debuginfo-1.1.1c-15.el8.ppc64le.rpm SHA-256: b8666025b3a91790018279b334bb80854562dc0e8b4fa973d072960827527cb1
openssl-perl-1.1.1c-15.el8.ppc64le.rpm SHA-256: 1fa74a7d5a4a3f219a2d2f6916cd5893b79b310c2f66e067f7b6267fdf3020a9

Red Hat Enterprise Linux for ARM 64 8

SRPM
openssl-1.1.1c-15.el8.src.rpm SHA-256: 894fbd3a3b565bae93925fe532136b35fd5fb04f13f906547a7c93c121b971f9
aarch64
openssl-1.1.1c-15.el8.aarch64.rpm SHA-256: 9357d9677258f3a32bf8908998cd7e381ce37396a8b0f5e507474f21e020013c
openssl-debuginfo-1.1.1c-15.el8.aarch64.rpm SHA-256: 623e2d2bbade611793278f14fd777f5c8a9d5281f742395d6e1def64a86b5021
openssl-debugsource-1.1.1c-15.el8.aarch64.rpm SHA-256: 595ec70b64258d17b782bdc96971564a51600e0e4c1f8507a04f8d5e0c1d254a
openssl-devel-1.1.1c-15.el8.aarch64.rpm SHA-256: 4c7e574959cfd942c3b5d933328c0a9878e4fa86c118a8e065b9d6cab7604ca8
openssl-libs-1.1.1c-15.el8.aarch64.rpm SHA-256: ce75ba78da83925de54f66aa518764514c7524291fe68b34b11c7b1e64b391c4
openssl-libs-debuginfo-1.1.1c-15.el8.aarch64.rpm SHA-256: b64050823c9584f62ff874fc63e46a4f5a271b4b5b66b6b7d564216ae34de32b
openssl-perl-1.1.1c-15.el8.aarch64.rpm SHA-256: 6b5a25cc1d543a7e52b5a4d160378a62ccf9e6ac36abf6d6473fd0469198a019

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.