Openssl; Rhsa-2009:1335: Moderate Security, Bug Fix, And Enhancement Update - Red Hat ENTERPRISE LINUX 5.4 - TECHNICAL NOTES Manual

Chapter 1. Package Updates

1.165. openssl

1.165.1. RHSA-2009:1335: Moderate security, bug fix, and
enhancement update
Updated openssl packages that fix several security issues, various bugs, and add enhancements are
now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Datagram
TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (for example,
UDP).
Multiple denial of service flaws were discovered in OpenSSL's DTLS implementation. A remote
attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or crash
on an invalid memory access or NULL pointer dereference.
1359
CVE-2009-1379 CVE-2009-1386
,
Note: These flaws only affect applications that use DTLS. Red Hat does not ship any DTLS client or
server applications in Red Hat Enterprise Linux.
An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string
types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a
specially-crafted X.509 certificate that could cause applications using the affected function to crash
when printing certificate contents.
Note: The affected function is rarely used. No application shipped with Red Hat Enterprise Linux calls
this function, for example.
These updated packages also fix the following bugs:
• "openssl smime -verify -in" verifies the signature of the input file and the "-verify" switch expects a
signed or encrypted input file. Previously, running openssl on an S/MIME file that was not encrypted
or signed caused openssl to segfault. With this update, the input file is now checked for a signature
or encryption. Consequently, openssl now returns an error and quits when attempting to verify an
unencrypted or unsigned S/MIME file.
• when generating RSA keys, pairwise tests were called even in non-FIPS mode. This prevented
small keys from being generated. With this update, generating keys in non-FIPS mode no longer
calls the pairwise tests and keys as small as 32-bits can be generated in this mode. Note: In FIPS
mode, pairwise tests are still called and keys generated in this mode must still be 1024-bits or
1364
larger. (BZ#479817
As well, these updated packages add the following enhancements:
1357
https://www.redhat.com/security/data/cve/CVE-2009-1377.html
1358
https://www.redhat.com/security/data/cve/CVE-2009-1378.html
1359
https://www.redhat.com/security/data/cve/CVE-2009-1379.html
1360
https://www.redhat.com/security/data/cve/CVE-2009-1386.html
1361
https://www.redhat.com/security/data/cve/CVE-2009-1387.html
1362
https://www.redhat.com/security/data/cve/CVE-2009-0590.html
192
1360
CVE-2009-1387
,
(CVE-2009-0590
(BZ#472440
)
(CVE-2009-1377
1361
)
1362
)
1363
)
1357 1358
CVE-2009-1378
, ,