Resolution for CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182 (OpenSSL September 22, 2016)

Solution Verified - Updated -

Issue

  • On 22 September 2016, the OpenSSL project team announced the release of OpenSSL versions 1.1.0a, 1.0.2i and to 1.0.1u. These new versions of the OpenSSL toolkit fix several security issues, which have been rated by the Red Hat Product Security team as having a Moderate/Important/Low impact.
  • What Red Hat products and distributed versions of OpenSSL are affected?
  • openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)
  • openssl: Integer overflow in MDC2_Update() (CVE-2016-6303)
  • openssl: OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
  • openssl: SSL_peek() hang on empty record (CVE-2016-6305)
  • openssl: certificate message OOB reads (CVE-2016-6306)
  • openssl: Possible integer overflow vulnerabilities in codebase (CVE-2016-2177)
  • openssl: Non-constant time codepath followed for certain operations in DSA implementation (CVE-2016-2178)
  • openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer (CVE-2016-2179)
  • OpenSSL: OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
  • openssl: DTLS replay protection bypass allows DoS against DTLS connection (CVE-2016-2181)
  • openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • openssl, openssl097a, openssl098e

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In