Updated OpenSSL packages are available for CentOS Linux Advanced Server. These updates fix multiple protocol parsing bugs, which may cause a denial of service (DoS) attack or cause SSL-enabled applications to crash. [Updated 06 Jan 2003] Added fixed packages for the ia64 architecture. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1
OpenSSL is a commercial-grade, full-featured, and open source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Portions of the SSL protocol data stream, which include the lengths of structures which are being transferred, may not be properly validated. This may allow a malicious server or client to cause an affected application to crash or enter an infinite loop, which can be used as a denial of service (DoS) attack if the application is a server. It has not been verified if this issue could lead to further consequences such as remote code execution. These errata packages contain a patch to correct this vulnerability. Please note that the original patch from the OpenSSL team had a mistake in it which could possibly still allow buffer overflows to occur. This bug is also fixed in these errata packages. NOTE: Please read the Solution section below as it contains instructions for making sure that all SSL-enabled processes are restarted after the update is applied. Thanks go to the OpenSSL team for providing patches for these issues.