OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.It was discovered that OpenSSL leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suiteswere used. A remote attacker could possibly use this flaw to retrieve plaintext from the encrypted packets by using a TLS/SSL or DTLS server as apadding oracle. (CVE-2013-0169)A NULL pointer dereference flaw was found in the OCSP response verificationin OpenSSL. A malicious OCSP server could use this flaw to crashapplications performing OCSP verification by sending a specially-craftedresponse. (CVE-2013-0166)It was discovered that the TLS/SSL protocol could leak information aboutplain text when optional compression was used. An attacker able to controlpart of the plain text sent over an encrypted TLS/SSL connection couldpossibly use this flaw to recover other portions of the plain text.(CVE-2012-4929)Note: This update disables zlib compression, which was previously enabledin OpenSSL by default. Applications using OpenSSL now need to explicitlyenable zlib compression to use it.It was found that OpenSSL read certain environment variables even when usedby a privileged (setuid or setgid) application. A local attacker could usethis flaw to escalate their privileges. No application shipped with Red HatEnterprise Linux 5 and 6 was affected by this problem. (BZ#839735)All OpenSSL users should upgrade to these updated packages, which containbackported patches to resolve these issues. For the update to take effect,all services linked to the OpenSSL library must be restarted, or thesystem rebooted.