[RHSA-2016:1940-01] Important: openssl security update
bugzilla at redhat.com
bugzilla at redhat.com
Tue Sep 27 13:55:19 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: openssl security update
Advisory ID: RHSA-2016:1940-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html
Issue date: 2016-09-27
CVE Names: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179
CVE-2016-2180 CVE-2016-2181 CVE-2016-2182
CVE-2016-6302 CVE-2016-6304 CVE-2016-6306
=====================================================================
1. Summary:
An update for openssl is now available for Red Hat Enterprise Linux 6 and
Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.
Security Fix(es):
* A memory leak flaw was found in the way OpenSSL handled TLS status
request extension data during session renegotiation. A remote attacker
could cause a TLS server using OpenSSL to consume an excessive amount of
memory and, possibly, exit unexpectedly after exhausting all available
memory, if it enabled OCSP stapling support. (CVE-2016-6304)
* It was discovered that OpenSSL did not always use constant time
operations when computing Digital Signature Algorithm (DSA) signatures. A
local attacker could possibly use this flaw to obtain a private DSA key
belonging to another user or service running on the same system.
(CVE-2016-2178)
* It was discovered that the Datagram TLS (DTLS) implementation could fail
to release memory in certain cases. A malicious DTLS client could cause a
DTLS server using OpenSSL to consume an excessive amount of memory and,
possibly, exit unexpectedly after exhausting all available memory.
(CVE-2016-2179)
* A flaw was found in the Datagram TLS (DTLS) replay protection
implementation in OpenSSL. A remote attacker could possibly use this flaw
to make a DTLS server using OpenSSL to reject further packets sent from a
DTLS client over an established DTLS connection. (CVE-2016-2181)
* An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec()
function. An attacker able to make an application using OpenSSL to process
a large BIGNUM could cause the application to crash or, possibly, execute
arbitrary code. (CVE-2016-2182)
* A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL
protocol. A man-in-the-middle attacker could use this flaw to recover some
plaintext data by capturing large amounts of encrypted traffic between
TLS/SSL server and client if the communication used a DES/3DES based
ciphersuite. (CVE-2016-2183)
This update mitigates the CVE-2016-2183 issue by lowering priority of DES
cipher suites so they are not preferred over cipher suites using AES. For
compatibility reasons, DES cipher suites remain enabled by default and
included in the set of cipher suites identified by the HIGH cipher string.
Future updates may move them to MEDIUM or not enable them by default.
* An integer underflow flaw leading to a buffer over-read was found in the
way OpenSSL parsed TLS session tickets. A remote attacker could use this
flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for
session tickets. (CVE-2016-6302)
* Multiple integer overflow flaws were found in the way OpenSSL performed
pointer arithmetic. A remote attacker could possibly use these flaws to
cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177)
* An out of bounds read flaw was found in the way OpenSSL formatted Public
Key Infrastructure Time-Stamp Protocol data for printing. An attacker could
possibly cause an application using OpenSSL to crash if it printed time
stamp data from the attacker. (CVE-2016-2180)
* Multiple out of bounds read flaws were found in the way OpenSSL handled
certain TLS/SSL protocol handshake messages. A remote attacker could
possibly use these flaws to crash a TLS/SSL server or client using OpenSSL.
(CVE-2016-6306)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304
and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183. Upstream
acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter
of CVE-2016-6304 and CVE-2016-6306; and Karthikeyan Bhargavan (Inria) and
Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted.
5. Bugs fixed (https://bugzilla.redhat.com/):
1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
1359615 - CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio()
1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
1369113 - CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection
1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1369504 - CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer
1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
1377594 - CVE-2016-6306 openssl: certificate message OOB reads
1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
i386:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-perl-1.0.1e-48.el6_8.3.i686.rpm
openssl-static-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
i386:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
ppc64:
openssl-1.0.1e-48.el6_8.3.ppc.rpm
openssl-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.ppc.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-devel-1.0.1e-48.el6_8.3.ppc.rpm
openssl-devel-1.0.1e-48.el6_8.3.ppc64.rpm
s390x:
openssl-1.0.1e-48.el6_8.3.s390.rpm
openssl-1.0.1e-48.el6_8.3.s390x.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.s390.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm
openssl-devel-1.0.1e-48.el6_8.3.s390.rpm
openssl-devel-1.0.1e-48.el6_8.3.s390x.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-perl-1.0.1e-48.el6_8.3.i686.rpm
openssl-static-1.0.1e-48.el6_8.3.i686.rpm
ppc64:
openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-perl-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-static-1.0.1e-48.el6_8.3.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm
openssl-perl-1.0.1e-48.el6_8.3.s390x.rpm
openssl-static-1.0.1e-48.el6_8.3.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
i386:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-perl-1.0.1e-48.el6_8.3.i686.rpm
openssl-static-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
ppc64:
openssl-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-devel-1.0.1e-51.el7_2.7.ppc.rpm
openssl-devel-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-libs-1.0.1e-51.el7_2.7.ppc.rpm
openssl-libs-1.0.1e-51.el7_2.7.ppc64.rpm
ppc64le:
openssl-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-devel-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-libs-1.0.1e-51.el7_2.7.ppc64le.rpm
s390x:
openssl-1.0.1e-51.el7_2.7.s390x.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm
openssl-devel-1.0.1e-51.el7_2.7.s390.rpm
openssl-devel-1.0.1e-51.el7_2.7.s390x.rpm
openssl-libs-1.0.1e-51.el7_2.7.s390.rpm
openssl-libs-1.0.1e-51.el7_2.7.s390x.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-perl-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-static-1.0.1e-51.el7_2.7.ppc.rpm
openssl-static-1.0.1e-51.el7_2.7.ppc64.rpm
ppc64le:
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-perl-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-static-1.0.1e-51.el7_2.7.ppc64le.rpm
s390x:
openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm
openssl-perl-1.0.1e-51.el7_2.7.s390x.rpm
openssl-static-1.0.1e-51.el7_2.7.s390.rpm
openssl-static-1.0.1e-51.el7_2.7.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-2177
https://access.redhat.com/security/cve/CVE-2016-2178
https://access.redhat.com/security/cve/CVE-2016-2179
https://access.redhat.com/security/cve/CVE-2016-2180
https://access.redhat.com/security/cve/CVE-2016-2181
https://access.redhat.com/security/cve/CVE-2016-2182
https://access.redhat.com/security/cve/CVE-2016-6302
https://access.redhat.com/security/cve/CVE-2016-6304
https://access.redhat.com/security/cve/CVE-2016-6306
https://access.redhat.com/security/updates/classification/#important
https://www.openssl.org/news/secadv/20160922.txt
8. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFX6nnFXlSAg2UNWIIRAqklAJ9uGMit/wxZ0CfuGjR7Vi2+AjmGMwCfTpEI
xpTW7ApBLmKhVjs49DGYouI=
=4VgY
-----END PGP SIGNATURE-----
More information about the Enterprise-watch-list
mailing list