RHSA-2010:0978: openssl security update
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | December 06, 2010 | December 21, 2010 | July 04, 2017 |
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.A remote attacker could possibly use this flaw to change the ciphersuiteassociated with a cached session stored on the server, if the serverenabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possiblyforcing the client to use a weaker ciphersuite after resuming the session.(CVE-2010-4180, CVE-2008-7270)Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGoption has no effect and this bug workaround can no longer be enabled.All OpenSSL users should upgrade to these updated packages, which contain abackported patch to resolve these issues. For the update to take effect,all services linked to the OpenSSL library must be restarted, or the systemrebooted.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2011-06-23-1
- BID-45164
- BID-45254
- CERT-VN-737740
- CVE-2008-7270
- CVE-2010-4180
- DEBIAN-DSA-2141
- DISA_SEVERITY-Category I
- DISA_VMSKEY-V0030769
- DISA_VMSKEY-V0033794
- DISA_VMSKEY-V0033884
- IAVM-2011-A-0160
- IAVM-2012-A-0148
- IAVM-2012-A-0153
- OSVDB-69565
- OVAL-OVAL18910
- REDHAT-RHSA-2010:0977
- REDHAT-RHSA-2010:0978
- REDHAT-RHSA-2010:0979
- REDHAT-RHSA-2011:0896
Solution
redhat-upgrade-opensslRelated Vulnerabilities
- OS X update for OpenSSL (CVE-2010-4180)
- SUSE Linux Security Vulnerability: CVE-2010-4180
- Gentoo Linux: CVE-2010-4180: OpenSSL: Multiple vulnerabilities
- Sun Patch: SunOS 5.10_x86: ssl patch
- IBM AIX: openssl_advisory2 (CVE-2010-4180): Vulnerabilities in OpenSSL affect AIX
- Sun Patch: SunOS 5.10: Solaris kernel patch
- Cent OS: CVE-2010-4180: CESA-2010:0977 (openssl)
- Sun Patch: SunOS 5.10_x86: ssl patch
- USN-1029-1: OpenSSL vulnerabilities
- VMSA-2011-0013: ESX third party update for Service Console openssl RPM (CVE-2010-4180)
- Sun Patch: SunOS 5.10: ssh scp patch
- HP-UX: CVE-2010-4180: Running OpenSSL, Remote Execution of Arbitrary Code, Denial of Service (DoS), Authentication Bypass
- SUSE Linux Security Advisory: SUSE-SR:2011:009
- Sun Patch: SunOS 5.10_x86: openssl patch
- Sun Patch: SunOS 5.10: ssl patch for wanboot
- OS X security update 2011-004 for AirPort (CVE-2010-4180)
- SUSE Linux Security Advisory: SUSE-SR:2011:001
- HP iLO: CVE-2008-7270: Denial of Service (DoS), Unauthorized Modification
- RHSA-2010:0977: openssl security update
- HP iLO: CVE-2010-4180: Denial of Service (DoS), Unauthorized Modification
- OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade (CVE-2010-4180)
- VMSA-2011-0013: ESX third party update for Service Console openssl RPM (CVE-2008-7270)
- ELSA-2010-0977 Moderate: Oracle Linux openssl security update
- SUSE Linux Security Vulnerability: CVE-2008-7270
- Sun Patch: SunOS 5.10: kernel patch
- VMSA-2012-0013: Update to ESX/ESXi userworld OpenSSL library (CVE-2010-4180)
- Cent OS: CVE-2008-7270: CESA-2010:0977 (openssl)
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6
- ELSA-2010-0978 Moderate: Oracle Linux openssl security update
- RHSA-2010:0979: openssl security update