AXSA:2019-4126:04

Release date: 
Tuesday, August 20, 2019 - 02:10
Subject: 
openssl-1.0.2k-19.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: 0-byte record padding oracle (CVE-2019-1559)

* openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-0734
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVE-2019-1559
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. openssl-1.0.2k-19.el7.src.rpm
    MD5: 246594320906adcff5e2f9f5181298fa
    SHA-256: 6bfb49aa5315bed2e37697d7959a0f5d45ac5249943d9b3c7ed756da4286cdc6
    Size: 3.59 MB

Asianux Server 7 for x86_64
  1. openssl-1.0.2k-19.el7.x86_64.rpm
    MD5: ad632d5f34d745bd50ea04d368515c01
    SHA-256: 39bcae575029f1b832e6802609915f02161b85156167a2706ec7674b26baac13
    Size: 492.24 kB
  2. openssl-devel-1.0.2k-19.el7.x86_64.rpm
    MD5: d81f9034d6fb9c924248194372253677
    SHA-256: 59fbe1ceeaf81391afe548d168aa5c7ec867461aa71f10cc98a0f745fd731448
    Size: 1.51 MB
  3. openssl-libs-1.0.2k-19.el7.x86_64.rpm
    MD5: 35b6128e1a9743a42174195b41642474
    SHA-256: 76d72be4d91d034c75a9d028064419e106478d4bb29bf3a7a3fe0d79b7eb0377
    Size: 1.20 MB
  4. openssl-devel-1.0.2k-19.el7.i686.rpm
    MD5: 6bba5ad86625b50da980f2e26d7afeb5
    SHA-256: a59fbc4ac1a100da2c8fc39fdddfe9faee7dc64a8771c2f3160c9fdfc26a21fc
    Size: 1.51 MB
  5. openssl-libs-1.0.2k-19.el7.i686.rpm
    MD5: b0751e6ad81804a82b531976bd9fb464
    SHA-256: 0514f3e9bdf267f443f5d21a39bbc91774c0a8af7b97a6f47d714bb1845234d1
    Size: 0.97 MB
Copyright© 2007-2015 Asianux. All rights reserved.