MDVSA-2010:076-1

Package name

openssl

Date

2010-04-19

Advisory ID

MDVSA-2010:076-1

Affected versions

2009.0 x86_64 , 2009.0 i586

Problem description

This update fixes several security issues in openssl:
- The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
through 0.9.8m allows remote attackers to cause a denial of service
(crash) via a malformed record in a TLS connection (CVE-2010-0740)
- OpenSSL before 0.9.8m does not check for a NULL return value
from bn_wexpand function calls which has unspecified impact and
context-dependent attack vectors (CVE-2009-3245)
- The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL
before 0.9.8n, when Kerberos is enabled but Kerberos configuration
files cannot be opened, could allow remote attackers to cause a denial
of service (NULL pointer dereference and daemon crash) (CVE-2010-0433)
- Finally, this update provides support for secure renegotiation,
preventing men-in-the-middle attacks (CVE-2009-3555).

Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.

Update:

Packages for 2009.0 are provided due to the Extended Maintenance
Program.

Updated packages

2009.0 x86_64

 f6748700d01abc7e33053e339575cede  2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.7mdv2009.0.x86_64.rpm
 b53a75b4c732a3371a3bcd0e8ed47481  2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.7mdv2009.0.x86_64.rpm
 187bff89c19e2d65ccc5c640a32d0cc7  2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.7mdv2009.0.x86_64.rpm
 1d6f6fca3b51e498359cbbbde07a4a0e  2009.0/x86_64/openssl-0.9.8h-3.7mdv2009.0.x86_64.rpm 
 1e1164ec8615415e325166d13c4248cc  2009.0/SRPMS/openssl-0.9.8h-3.7mdv2009.0.src.rpm

2009.0 i586

 1f42cf30ee84314be4125a070709d239  2009.0/i586/libopenssl0.9.8-0.9.8h-3.7mdv2009.0.i586.rpm
 372bffd962ced1965c33b752def70b8b  2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.7mdv2009.0.i586.rpm
 ace965066796e71bf4ecf4af6bc831c5  2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.7mdv2009.0.i586.rpm
 a6e08ca29b012c695e0763f6fd15fac1  2009.0/i586/openssl-0.9.8h-3.7mdv2009.0.i586.rpm 
 1e1164ec8615415e325166d13c4248cc  2009.0/SRPMS/openssl-0.9.8h-3.7mdv2009.0.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555