Updated openssl packages are now available for Red Hat Linux 6.x and 7. These packages include security-related changes made in OpenSSL 0.9.6a and 0.9.6b which have been backported to previous versions released for Red Hat Linux. In addition, this advisory provides OpenSSL 0.9.6 packages for Red Hat Linux 7, which may be used by future updates to both Red Hat Linux 7 and Red Hat Linux 7.1.
Versions of OpenSSL prior to 0.9.6a suffer from potential security problems. These include potential leakage of information after SSL version 3 key exchanges, imperfect distribution of random numbers used when generating signatures, honoring of sensitive environment variables in library functions in setuid or setgid applications, and not taking precautions to counter effects of potential hardware glitches when generating digital signatures. A flaw has also been found in the pseudo-random number generator used in versions of OpenSSL prior to 0.9.6b. The OpenSSL Project Team has released a patch which corrects this problem.