| Description: | Summary:
The remote host is missing an update for the 'openssl-fips' package(s) announced via the ELSA-2015-3022 advisory.
Vulnerability Insight:
[1.0.1m-2.0.1]
- update to upstream 1.0.1m
- update to fips canister 2.0.9
- regenerated below patches
openssl-1.0.1-beta2-rpmbuild.patch
openssl-1.0.1m-rhcompat.patch
openssl-1.0.1m-ecc-suiteb.patch
openssl-1.0.1m-fips-mode.patch
openssl-1.0.1m-version.patch
openssl-1.0.1m-evp-devel.patch
[1.0.1j-2.0.4]
- [Orabug 20182267] The openssl-fips-devel package should Provide:
openssl-devel and openssl-devel(x86-64) like the standard -devel
package
- The openssl-fips-devel package should include fips.h and fips_rand.h
for apps that want to build against FIPS* APIs
[1.0.1j-2.0.3]
- [Orabug 20086847] reintroduce patch openssl-1.0.1e-ecc-suiteb.patch,
update ec_curve.c which gets copied into build tree to match the patch
(ie only have curves which are advertised). The change items from the
original patch are as follows:
- do not advertise ECC curves we do not support
- fix CPU identification on Cyrix CPUs
[1.0.1j-2.0.2]
- update README.FIPS with step-by-step install instructions
[1.0.1j-2.0.1]
- update to upstream 1.0.1j
- change name to openssl-fips
- change Obsoletes: openssl to Conflicts: openssl
- add Provides: openssl
[1.0.1i-2.0.3.fips]
- update to fips canister 2.0.8 to remove Dual EC DRBG
- run gcc -v so the gcc build version is captured in the build log
[1.0.1i-2.0.2.fips]
- flip EVP_CIPH_* flag bits for compatibility with original RH patched pkg
[1.0.1i-2.0.1.fips]
- build against upstream 1.0.1i
- build against fips validated canister 2.0.7
- add patch to support fips=1
- rename pkg to openssl-fips and Obsolete openssl
[1.0.1e-16.14]
- fix CVE-2010-5298 - possible use of memory after free
- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment
- fix CVE-2014-0198 - possible NULL pointer dereference
- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability
- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH
[1.0.1e-16.7]
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
[1.0.1e-16.4]
- fix CVE-2013-4353 - Invalid TLS handshake crash
[1.0.1e-16.3]
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
[1.0.1e-16.2]
- fix CVE-2013-6449 - crash when version in SSL structure is incorrect
[1.0.1e-16.1]
- add back some no-op symbols that were inadvertently dropped
[1.0.1e-16]
- do not advertise ECC curves we do not support
- fix CPU identification on Cyrix CPUs
[1.0.1e-15]
- make DTLS1 work in FIPS mode
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
[1.0.1e-14]
- installation of dracut-fips marks that the FIPS module is installed
[1.0.1e-13]
- avoid dlopening libssl.so from libcrypto
[1.0.1e-12]
- fix small memory leak in FIPS aes selftest
- fix segfault in openssl speed hmac in the FIPS mode
[1.0.1e-11]
- document the nextprotoneg option in manual pages
original patch by Hubert Kario
[1.0.1e-9]
- always perform the FIPS ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'openssl-fips' package(s) on Oracle Linux 6.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
