openssl-0.9.8e-20.AXS3.1

エラータID: AXSA:2012-71:01

Release date: 
Monday, February 6, 2012 - 19:39
Subject: 
openssl-0.9.8e-20.AXS3.1
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.
Security issues fixed with this release:
CVE-2011-4108
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
CVE-2011-4109
Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.
CVE-2011-4576
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
CVE-2011-4619
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors.

Solution: 

Update packages.

CVEs: 
CVE-2011-4108
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
CVE-2011-4109
Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.
CVE-2011-4576
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
CVE-2011-4619
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.


Additional Info: 

N/A

Download: 

SRPMS
  1. openssl-0.9.8e-20.AXS3.1.src.rpm
    MD5: de2a28740b2a19163443e5d547a03781
    SHA-256: d7462fc8bd40db685295402075b7dbdf57bea0f64ffbbe72db0013e72b83bea8
    Size: 3.12 MB

Asianux Server 3 for x86
  1. openssl-0.9.8e-20.AXS3.1.i386.rpm
    MD5: 8a4814e7e2b67f29e9405a02bb7b8ed6
    SHA-256: c3e058ff1619d07819c8ee504ad8f6f8df2edee2b35b92e2b4b3c9a60c20bb31
    Size: 1.46 MB
  2. openssl-0.9.8e-20.AXS3.1.i686.rpm
    MD5: 3ba06d154689066f3588f3f006660463
    SHA-256: 25a2497c2ac571870ea7d9269923f5bcb9e8cfeee2f98af41c89ab09fdeaaad3
    Size: 1.44 MB
  3. openssl-devel-0.9.8e-20.AXS3.1.i386.rpm
    MD5: eeed05bf512858b178e990912bc4b4f4
    SHA-256: 35382106a842291398b33d86818884618510685a6bdb760060c2846400c4b8d1
    Size: 1.90 MB
  4. openssl-perl-0.9.8e-20.AXS3.1.i386.rpm
    MD5: a8fb5b100c7b26233ee1c7ff2ce9be52
    SHA-256: fc187b246fa6da1becf683ec6a44bb8c1d0d2e50c9681ec4de5519dbc0776617
    Size: 35.70 kB

Asianux Server 3 for x86_64
  1. openssl-0.9.8e-20.AXS3.1.x86_64.rpm
    MD5: c6f7c6bddc935fa1eaece9ea5a4d5f2e
    SHA-256: 16ef6fa4d64f0f0f611fb972ad1a0d2f43c2ffa2e91c50f5802a1d84cf859611
    Size: 1.44 MB
  2. openssl-devel-0.9.8e-20.AXS3.1.x86_64.rpm
    MD5: 5036fa1fc84b492e995735840ef466f2
    SHA-256: 2ba679069a5389c0e3b39dca743373a3dda3c11cebfe82d2351e47fd9230d3a8
    Size: 1.88 MB
  3. openssl-perl-0.9.8e-20.AXS3.1.x86_64.rpm
    MD5: b25776603be8c77bcb40355951121864
    SHA-256: 960776ac5d4d2af77803ac2a4af5cbe5569ab364a52bb18fd3e7e677437aefdd
    Size: 35.66 kB