Red Hat Local Security Checks : RedHat Security Advisory RHSA-2005:476

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.52987

Categoría: Red Hat Local Security Checks

Título: RedHat Security Advisory RHSA-2005:476

Resumen: NOSUMMARY

Descripción: Description:

The remote host is missing updates announced in
advisory RHSA-2005:476.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

Colin Percival reported a cache timing attack that could allow a malicious
local user to gain portions of cryptographic keys. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2005-0109 to the issue. The OpenSSL library has been patched to add a
new fixed-window mod_exp implementation as default for RSA, DSA, and DH
private-key operations. This patch is designed to mitigate cache timing
and potentially related attacks.

A flaw was found in the way the der_chop script creates temporary files. It
is possible that a malicious local user could cause der_chop to overwrite
files (CVE-2004-0975). The der_chop script was deprecated and has been
removed from these updated packages. Red Hat Enterprise Linux 4 did not
ship der_chop and is therefore not vulnerable to this issue.

Users are advised to update to these erratum packages which contain patches
to correct these issues.

Please note: After installing this update, users are advised to either
restart all services that use OpenSSL or restart their system.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2005-476.html

Risk factor : High

CVSS Score:
7.2

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2004-0975
BugTraq ID: 11293
http://www.securityfocus.com/bid/11293
Debian Security Information: DSA-603 (Google Search)
http://www.debian.org/security/2004/dsa-603
http://www.gentoo.org/security/en/glsa/glsa-200411-15.xml
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10621
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A164
http://www.redhat.com/support/errata/RHSA-2005-476.html
http://secunia.com/advisories/12973
http://www.trustix.org/errata/2004/0050
XForce ISS Database: script-temporary-file-overwrite(17583)
https://exchange.xforce.ibmcloud.com/vulnerabilities/17583
Common Vulnerability Exposure (CVE) ID: CVE-2005-0109
BugTraq ID: 12724
http://www.securityfocus.com/bid/12724
CERT/CC vulnerability note: VU#911878
http://www.kb.cert.org/vuls/id/911878
FreeBSD Security Advisory: FreeBSD-SA-05:09
http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754
http://www.daemonology.net/hyperthreading-considered-harmful/
http://www.daemonology.net/papers/htt.pdf
http://marc.info/?l=freebsd-hackers&m=110994026421858&w=2
http://marc.info/?l=freebsd-security&m=110994370429609&w=2
http://marc.info/?l=openbsd-misc&m=110995101417256&w=2
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9747
http://www.redhat.com/support/errata/RHSA-2005-800.html
SCO Security Bulletin: SCOSA-2005.24
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24/SCOSA-2005.24.txt
http://securitytracker.com/id?1013967
http://secunia.com/advisories/15348
http://secunia.com/advisories/18165
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101739-1
http://www.vupen.com/english/advisories/2005/0540
http://www.vupen.com/english/advisories/2005/3002

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.52987
Categoría:	Red Hat Local Security Checks
Título:	RedHat Security Advisory RHSA-2005:476
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory RHSA-2005:476. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CVE-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date http://rhn.redhat.com/errata/RHSA-2005-476.html Risk factor : High CVSS Score: 7.2
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2004-0975 BugTraq ID: 11293 http://www.securityfocus.com/bid/11293 Debian Security Information: DSA-603 (Google Search) http://www.debian.org/security/2004/dsa-603 http://www.gentoo.org/security/en/glsa/glsa-200411-15.xml https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10621 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A164 http://www.redhat.com/support/errata/RHSA-2005-476.html http://secunia.com/advisories/12973 http://www.trustix.org/errata/2004/0050 XForce ISS Database: script-temporary-file-overwrite(17583) https://exchange.xforce.ibmcloud.com/vulnerabilities/17583 Common Vulnerability Exposure (CVE) ID: CVE-2005-0109 BugTraq ID: 12724 http://www.securityfocus.com/bid/12724 CERT/CC vulnerability note: VU#911878 http://www.kb.cert.org/vuls/id/911878 FreeBSD Security Advisory: FreeBSD-SA-05:09 http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754 http://www.daemonology.net/hyperthreading-considered-harmful/ http://www.daemonology.net/papers/htt.pdf http://marc.info/?l=freebsd-hackers&m=110994026421858&w=2 http://marc.info/?l=freebsd-security&m=110994370429609&w=2 http://marc.info/?l=openbsd-misc&m=110995101417256&w=2 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9747 http://www.redhat.com/support/errata/RHSA-2005-800.html SCO Security Bulletin: SCOSA-2005.24 ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24/SCOSA-2005.24.txt http://securitytracker.com/id?1013967 http://secunia.com/advisories/15348 http://secunia.com/advisories/18165 http://sunsolve.sun.com/search/document.do?assetkey=1-26-101739-1 http://www.vupen.com/english/advisories/2005/0540 http://www.vupen.com/english/advisories/2005/3002
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com