2019/08/20 Tuesday - 02:10
Asianux Server 7 for x86_64

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: 0-byte record padding oracle (CVE-2019-1559)

* openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.7 Release Notes linked from the References section.

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).


Update packages.




1. openssl-1.0.2k-19.el7.src.rpm
md5sum: 246594320906adcff5e2f9f5181298fa
sha256sum: 6bfb49aa5315bed2e37697d7959a0f5d45ac5249943d9b3c7ed756da4286cdc6
Size: 3,672 Kb

Asianux Server 7.0 for x86_64
1. openssl-1.0.2k-19.el7.x86_64.rpm
md5sum: ad632d5f34d745bd50ea04d368515c01
sha256sum: 39bcae575029f1b832e6802609915f02161b85156167a2706ec7674b26baac13
Size: 492 Kb
2. openssl-devel-1.0.2k-19.el7.x86_64.rpm
md5sum: d81f9034d6fb9c924248194372253677
sha256sum: 59fbe1ceeaf81391afe548d168aa5c7ec867461aa71f10cc98a0f745fd731448
Size: 1,543 Kb
3. openssl-libs-1.0.2k-19.el7.x86_64.rpm
md5sum: 35b6128e1a9743a42174195b41642474
sha256sum: 76d72be4d91d034c75a9d028064419e106478d4bb29bf3a7a3fe0d79b7eb0377
Size: 1,224 Kb
4. openssl-devel-1.0.2k-19.el7.i686.rpm
md5sum: 6bba5ad86625b50da980f2e26d7afeb5
sha256sum: a59fbc4ac1a100da2c8fc39fdddfe9faee7dc64a8771c2f3160c9fdfc26a21fc
Size: 1,543 Kb
5. openssl-libs-1.0.2k-19.el7.i686.rpm
md5sum: b0751e6ad81804a82b531976bd9fb464
sha256sum: 0514f3e9bdf267f443f5d21a39bbc91774c0a8af7b97a6f47d714bb1845234d1
Size: 995 Kb
Copyright© 2007-2015 Asianux. All rights reserved.