Vulnerability & Exploit Database

Back to search

RHSA-2013:0587: openssl security update

Severity CVSS Published Added Modified
5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) February 08, 2013 March 05, 2013 July 04, 2017

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.It was discovered that OpenSSL leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suiteswere used. A remote attacker could possibly use this flaw to retrieve plaintext from the encrypted packets by using a TLS/SSL or DTLS server as apadding oracle. (CVE-2013-0169)A NULL pointer dereference flaw was found in the OCSP response verificationin OpenSSL. A malicious OCSP server could use this flaw to crashapplications performing OCSP verification by sending a specially-craftedresponse. (CVE-2013-0166)It was discovered that the TLS/SSL protocol could leak information aboutplain text when optional compression was used. An attacker able to controlpart of the plain text sent over an encrypted TLS/SSL connection couldpossibly use this flaw to recover other portions of the plain text.(CVE-2012-4929)Note: This update disables zlib compression, which was previously enabledin OpenSSL by default. Applications using OpenSSL now need to explicitlyenable zlib compression to use it.It was found that OpenSSL read certain environment variables even when usedby a privileged (setuid or setgid) application. A local attacker could usethis flaw to escalate their privileges. No application shipped with Red HatEnterprise Linux 5 and 6 was affected by this problem. (BZ#839735)All OpenSSL users should upgrade to these updated packages, which containbackported patches to resolve these issues. For the update to take effect,all services linked to the OpenSSL library must be restarted, or thesystem rebooted.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

redhat-upgrade-openssl

Related Vulnerabilities