Updated openssl packages that fix one security issue are now available forRed Hat Storage 2.1.The Red Hat Security Response Team has rated this update as havingImportant security impact. A Common Vulnerability Scoring System (CVSS)base score, which gives a detailed severity rating, is available from theCVE link in the References section.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.An information disclosure flaw was found in the way OpenSSL handled TLS andDTLS Heartbeat Extension packets. A malicious TLS or DTLS client or servercould send a specially crafted TLS or DTLS Heartbeat packet to disclose alimited portion of memory per request from a connected client or server.Note that the disclosed portions of memory could potentially includesensitive information such as private keys. (CVE-2014-0160)Red Hat would like to thank the OpenSSL project for reporting this issue.Upstream acknowledges Neel Mehta of Google Security as the originalreporter.All users of Red Hat Storage are advised to upgrade to these updatedpackages, which contain a backported patch to correct this issue. For theupdate to take effect, all services linked to the OpenSSL library (such ashttpd and other SSL-enabled services) must be restarted or the systemrebooted.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258Red Hat Storage Server 2.1
MD5: bd8cd18d0d76eeca5d08781b5b6712b8SHA-256: dd7f3bddba0a4d4084ec98ed71d50314c8644346924676dc9b10cd2de2bc90d1
MD5: 6fcf4efe58746a7b25a7654982b0e3d2SHA-256: 10d813e9fcc55f47655791e269b40fecd45b8396230b1c03a0ed77d859a4b0d2
MD5: 7f8eb8ea7db416e34afeaa6e7d10380aSHA-256: 1d3702a766e4c3b150eb7aa04772e61302e985ddc0d23d05c83b32347891637a
MD5: b23db98a10a6e58ef4a829367496e9dcSHA-256: 6f0e88747e196160a552998c94c13f0be0acd14122d0a8b992833e068b12e9ee
MD5: 5c399d655138be5a4b5da773e3b1af6cSHA-256: da22dff3394579ab544d772d37a3b57b89ee334d96c641409793560b5f17cafc
MD5: b8e2eb964b0b4f4d9fc6ea9676aba257SHA-256: 82412749e48786c0f272ed83b391f6cf56410268e365ace556fedfcb0d04f8e1
(The unlinked packages above are only available from the Red Hat Network)
1084875 – CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: