Does CVE-2011-3207 (openssl: CRL verification vulnerability) affect Red Hat Enterprise Linux 5?

Solution Verified - Updated -

Issue

  • Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past (CVE-2011-3207). This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of OpenSSL before 1.0.0 are not affected.
  • crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not  initialize certain structure members, which makes it easier for remote  attackers to bypass CRL validation by using a nextUpdate value  corresponding to a time in the past.
  • Is CVE-2011-3207 applicable to Red Hat Enterprise Linux 5?

Environment

  • Red Hat Enterprise Linux 4, 5, and 6

  • openssl

  • CVE-2011-3207

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.