Does CVE-2011-3207 (openssl: CRL verification vulnerability) affect Red Hat Enterprise Linux 5?

Solution Verified - Updated -

Issue

  • Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past (CVE-2011-3207). This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of OpenSSL before 1.0.0 are not affected.
  • crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not  initialize certain structure members, which makes it easier for remote  attackers to bypass CRL validation by using a nextUpdate value  corresponding to a time in the past.
  • Is CVE-2011-3207 applicable to Red Hat Enterprise Linux 5?

Environment

  • Red Hat Enterprise Linux 4, 5, and 6

  • openssl

  • CVE-2011-3207

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content