An update for openssl is now available for Red Hat Enterprise Linux 6.7 ExtendedUpdate Support.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) andTransport Layer Security (TLS) protocols, as well as a full-strengthgeneral-purpose cryptography library.Security Fix(es):* A flaw was found in the way OpenSSL encoded certain ASN.1 data structures.

Anattacker could use this flaw to create a specially crafted certificate which,when verified or re-encoded by OpenSSL, could cause it to crash, or executearbitrary code using the permissions of the user running an application compiledagainst the OpenSSL library. (CVE-2016-2108)* Two integer overflow flaws, leading to buffer overflows, were found in the waythe EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed verylarge amounts of input data.

A remote attacker could use these flaws to crash anapplication using OpenSSL or, possibly, execute arbitrary code with thepermissions of the user running that application. (CVE-2016-2105, CVE-2016-2106)* It was discovered that OpenSSL leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when the connection used the AES CBCcipher suite and the server supported AES-NI.

A remote attacker could possiblyuse this flaw to retrieve plain text from encrypted packets by using a TLS/SSLor DTLS server as a padding oracle. (CVE-2016-2107)* Several flaws were found in the way BIO_*printf functions were implemented inOpenSSL.

Applications which passed large amounts of untrusted data through thesefunctions could crash or potentially execute code with the permissions of theuser running such an application. (CVE-2016-0799, CVE-2016-2842)* A denial of service flaw was found in the way OpenSSL parsed certainASN.1-encoded data from BIO (OpenSSL’s I/O abstraction) inputs.

An applicationusing OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocatean excessive amount of data. (CVE-2016-2109)Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108,CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799.Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and DavidBenjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken asthe original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, andCVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107.
For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258For the update to take effect, all services linked to the OpenSSL library mustbe restarted, or the system rebooted.Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
openssl-1.0.1e-42.el6_7.5.src.rpm
    MD5: 808b585b4187578b53d016624dc79da0SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c
 
IA-32:
openssl-1.0.1e-42.el6_7.5.i686.rpm
    MD5: 21579d2ac312c85e41bfaef3f5415c22SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm
    MD5: 676d21489252d459503ac25b57070907SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-devel-1.0.1e-42.el6_7.5.i686.rpm
    MD5: fc844473e0d330f30c0cfb88bf787dd0SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069
openssl-perl-1.0.1e-42.el6_7.5.i686.rpm
    MD5: fcae62c5af4f881950f2f200d14e4dd8SHA-256: 6ce53f4157afbf3c7e6998c1b5cafa2154e54b437a9834cb3737ac9b497a36e1
openssl-static-1.0.1e-42.el6_7.5.i686.rpm
    MD5: 33c843d59c6184c9a3612c39f98b5785SHA-256: f73dd7d146f301687bb75292d98aff63f29ca52e50bcac69bfb81b0585e2785f
 
PPC:
openssl-1.0.1e-42.el6_7.5.ppc.rpm
    MD5: 7cf9f81f18e9513cf1fe64e7bb33b61fSHA-256: 22741c8de5de710adf566993daac53a02367fbd6098380f4ce5f74eca24873b0
openssl-1.0.1e-42.el6_7.5.ppc64.rpm
    MD5: 7f9b161559f07d601337ba5c089f58f3SHA-256: 6ea58950e5b6a775d132bbb218b2b6b747658b8bab9788f05e92cdfcee96ba8f
openssl-debuginfo-1.0.1e-42.el6_7.5.ppc.rpm
    MD5: 434620e6eff6c7a1759ec0513c8280a8SHA-256: 55015ec5a98f38441c2921edf789da14239cca674547a6fedaf7fe8984fb0d81
openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm
    MD5: a5defabb08799810d935377f7433aa93SHA-256: cb37ec839ea6bda905fb1f3ef0615c640a7c6c8ff5f22d07ce2f164b4f71a025
openssl-devel-1.0.1e-42.el6_7.5.ppc.rpm
    MD5: 8cb7bbc52e378ce38f8c401e5c6284eaSHA-256: f06c3832920c086df7ef1c6ef87a6137b3644486484fb22438cd7ef270b2c71d
openssl-devel-1.0.1e-42.el6_7.5.ppc64.rpm
    MD5: 1784c9589265c2c4b24768260f870a60SHA-256: d71888e97d397d29c913b7ad17483279a1af9109d7f5876c9a85e759fbb84b88
openssl-perl-1.0.1e-42.el6_7.5.ppc64.rpm
    MD5: 3da9f5bbf9ae33bdad9dbfa85c5f9572SHA-256: 35739470ca0b02c076b4d55f6b864d773668e67d2c5bf2e7d9a708f320610e9b
openssl-static-1.0.1e-42.el6_7.5.ppc64.rpm
    MD5: cb6a96ae40f64e2af7a145773e9ee02cSHA-256: 11e3e866f579e641be1ac9120b010c398e9bfebfe0aac1d26e14e3e861c399f6
 
s390x:
openssl-1.0.1e-42.el6_7.5.s390.rpm
    MD5: 9e882af414d9523c01da85d464d50af0SHA-256: 50c8c5cd64e72a8459553beed4dffe3fc564203824c5fc64d1f9d2aa1d8fee05
openssl-1.0.1e-42.el6_7.5.s390x.rpm
    MD5: b58c35692c5d36a6f3bd85c886352991SHA-256: a67ff7592297e8bcb28f6d3b2b20d5aae256bf33f466a587aac5d693dcd5755d
openssl-debuginfo-1.0.1e-42.el6_7.5.s390.rpm
    MD5: 46f7ff2e882aa2a91e4b148e7e5055f7SHA-256: 249f5b02580eb3c009b854225ad8b821d058785c189186502976a347fcf956e6
openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm
    MD5: 9a1a7624e5cc8a6fc92bc85be8dac443SHA-256: 19cbe27a1d2a5b86866b660a93c8ec38151b88ecc653231bfa556af7ff6228cb
openssl-devel-1.0.1e-42.el6_7.5.s390.rpm
    MD5: e0eb00b0d229cd055b388ed96c76447cSHA-256: 113bf5ab2de457a71d2c8b0960553677562d92a0427a647dbb9037bf14656b0e
openssl-devel-1.0.1e-42.el6_7.5.s390x.rpm
    MD5: c7ba6b5878f3d6dbacfee6abb7f72e50SHA-256: 4e87879e27924c303db690f4fb2d48c3a2e78143c5a2091a644fe76a7cb33189
openssl-perl-1.0.1e-42.el6_7.5.s390x.rpm
    MD5: c9d4e49bd5aa41c507af4308d8b7f25eSHA-256: 89a943afdb385785bef11a05ac17accf688c69555d527cc070a20ec0754e670e
openssl-static-1.0.1e-42.el6_7.5.s390x.rpm
    MD5: 05fdd32e33253976e81dbad1e76fac09SHA-256: 242faa58b512c13bb5c30a4abd9058e6051758ded923019795800fd7a73bc80c
 
x86_64:
openssl-1.0.1e-42.el6_7.5.i686.rpm
    MD5: 21579d2ac312c85e41bfaef3f5415c22SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73
openssl-1.0.1e-42.el6_7.5.x86_64.rpm
    MD5: 165c782875707fb1736822f2b127d0dbSHA-256: 75f214edc3107de2462ee82a2b790ee1a3f8c8c4922340d89f771233e3eb6ea6
openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm
    MD5: 676d21489252d459503ac25b57070907SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747
openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm
    MD5: 6fadcd4088a390d726d3685a5afabc3cSHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b
openssl-devel-1.0.1e-42.el6_7.5.i686.rpm
    MD5: fc844473e0d330f30c0cfb88bf787dd0SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069
openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm
    MD5: 9447f2e521f9b328c52dd1b7820c26d0SHA-256: 15946bb4bda18fa516d8b2a9c9695087b31022f9b99a80bf9fa6ca49cfdd84de
openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm
    MD5: 5c421903cab35c54ff29059098f38e85SHA-256: 497b8dcc8e74f5563a7779f2b09a25f2a63b65e7cece3f3d77df278a5b4f94a5
openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm
    MD5: db9752d6f5c22c0844ab9eab17baad9fSHA-256: 74f423f4371d78a4f7d2e089e4bebb2cb6a15c0e31aa647fbdc43028f8851d25
 
(The unlinked packages above are only available from the Red Hat Network)

1312219 – CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions1314757 – CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds1330101 – CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data1331402 – CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder1331426 – CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check1331441 – CVE-2016-2105 openssl: EVP_EncodeUpdate overflow1331536 – CVE-2016-2106 openssl: EVP_EncryptUpdate overflow

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply