| Descripción: | Description:
The remote host is missing updates announced in
advisory RHSA-2007:1003.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, and is also a
full-strength general-purpose cryptography library.
A flaw was found in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer by a single byte (CVE-2007-5135). Few
applications make use of this vulnerable function and generally it is used
only when applications are compiled for debugging.
A number of possible side-channel attacks were discovered affecting
OpenSSL. A local attacker could possibly obtain RSA private keys being used
on a system. In practice these attacks would be difficult to perform
outside of a lab environment. This update contains backported patches to
mitigate these issues. (CVE-2007-3108)
As well, these updated packages fix the following bugs:
* multithreaded applications could cause a segmentation fault or deadlock
when calling the random number generator initialization (RAND_poll) in the
OpenSSL library, for a large number of threads simultaneously.
* in certain circumstances, if an application using the OpenSSL library
reused the SSL session cache for multiple purposes (with various parameters
of the SSL protocol), the session parameters could be mismatched.
* a segmentation fault could occur when a corrupted pkcs12 file was being
loaded using the openssl pkcs12 -in [pkcs12-file] command, where
[pkcs12-file] is the pkcs12 file.
Users of OpenSSL should upgrade to these updated packages, which contain
backported patches to resolve these issues.
Note: After installing this update, users are advised to either restart all
services that use OpenSSL or restart their system.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2007-1003.html
http://www.redhat.com/security/updates/classification/#moderate
Risk factor : High
CVSS Score:
6.8
|
