Rapid7 Vulnerability & Exploit Database

RHSA-2002:161: openssl security update

Back to Search

RHSA-2002:161: openssl security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
08/12/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/12/2017

Description

Updated OpenSSL packages are available for Red Hat Linux Advanced Server. These updates fix multiple protocol parsing bugs, which may cause a denial of service (DoS) attack or cause SSL-enabled applications to crash. [Updated 06 Jan 2003] Added fixed packages for the ia64 architecture. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

OpenSSL is a commercial-grade, full-featured, and open source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Portions of the SSL protocol data stream, which include the lengths of structures which are being transferred, may not be properly validated. This may allow a malicious server or client to cause an affected application to crash or enter an infinite loop, which can be used as a denial of service (DoS) attack if the application is a server. It has not been verified if this issue could lead to further consequences such as remote code execution. These errata packages contain a patch to correct this vulnerability. Please note that the original patch from the OpenSSL team had a mistake in it which could possibly still allow buffer overflows to occur. This bug is also fixed in these errata packages. NOTE: Please read the Solution section below as it contains instructions for making sure that all SSL-enabled processes are restarted after the update is applied. Thanks go to the OpenSSL team for providing patches for these issues.

Solution(s)

  • redhat-upgrade-openssl
  • redhat-upgrade-openssl-devel
  • redhat-upgrade-openssl-perl
  • redhat-upgrade-openssl095a
  • redhat-upgrade-openssl096

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;