__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenSSL Security Update [Red Hat RHSA-2006:0661-8] September 7, 2006 17:00 GMT Number Q-304 [REVISED 11 Sep 2006] [REVISED 04 Oct 2006] [REVISED 27 Oct 2006] [REVISED 02 Nov 2006] [REVISED 09 Nov 2006] [REVISED 16 Nov 2006] [REVISED 01 Dec 2006] [REVISED 08 Dec 2006] [REVISED 13 Dec 2006] [REVISED 24 Jan 2007] [REVISED 12 Feb 2007] [REVISED 19 Apr 2007] [REVISED 25 Apr 2007] ______________________________________________________________________________ PROBLEM: There are security issues when using OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3. PLATFORM: Red Hat Desktop (v. 3 & v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v. 3, & v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor JDK and JRE 5.0 Update 9 and later for Windows, Solaris, and Linux. Sun Java System Application Server Standard Edition 7 2004Q2 Sun Java System Application Server Platform Edition 8.1 2005Q1 Sun Java System Web Proxy Server 4.0, 6,1 Sun Java System Application Server Enterprise Edition 7 2004Q2 Sun ONE Web Server 6.0 Sun Java System Web Proxy Server 3.6 HP-UX B.11.11, B.11.23, B.11.31 HP Tru64 UNIX v 5.1B-4, v 5.1B-3 (SSL and BIND) HP Tru64 UNIX v 5.1A PK6, v 4.0G PK4, v 4.0F PK8 (BIND) Internet Express (IX) v 6.6 BIND (BIND) HP Insight Management Agents for Tru64 UNIX patch v 3.5.2 and earlier (SSL) Solaris 9 and 10 Operating System DAMAGE: It may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. When using an RSA key with exponent 3, removes ASSESSMENT: PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-304.shtml ORIGINAL BULLETIN: Red Hat RHSA-2006:0661-8 https://rhn.redhat.com/errata/RHSA-2006-0661.html ADDITIONAL LINKS: Debian Security Advisory 1173-1 http://www.debian.org/security/2006/dsa-1173 Debian Security Advisory 1174-1 http://www.debian.org/security/2006/dsa-1174 USCERT VU#845620 http://www.kb.cert.org/vuls/id/845620 Visit Hewlett-Packard Subscription Service for: HPSBUX02165 SSRT061266 Sun Alert ID: 102648 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1 Sun Alert ID: 102656 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102656-1 Sun Alert ID: 102657 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102657-1 Sun Alert ID: 102696 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102696-1 Sun Alert ID: 102686 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102686-1 Sun Alert ID: 102722 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102722-1 Sun Alert ID: 102744 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102744-1 Visit Hewlett-Packard's Subscription Service for: HPSBUX02186 SSRT071299 rev. 1 Red Hat RHSA-2007:0072-2 https://rhn.redhat.com/errata/RHSA-2007-0072.html Visit Hewlett-Packard's Subscription Service for: HPSBTU02207 SSRT061213, SSRT061239, SSRT071304 rev. 1 Sun Alert ID: 102759 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102759-1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 ______________________________________________________________________________ REVISION HISTORY: 09/11/06 - added links to Debian Security Advisories 1173-1, 1174-1 and USCERT VU#845620 10/04/06 - revised to to add a link to Sun Alert ID: 102648 for JDK and JRE 5.0 Update 9 and later for Windows, Solaris, and Linux 10/27/06 - Sun Alert ID: 102648 updated its Contributing Factors section, and to add a link to Sun Alert ID: 102656 11/02/06 - added a link to HPSBUX02165 SSRT061266 11/09/06 - revised Q-304 to add a link to Sun Alert ID: 102696 for Sun Java System Application Server Standard Edition 7 2004Q2; Sun Java System Application Server Platform Edition 8.1 2005Q1; Sun Java System Web Proxy Server 4.0, 6,1; Sun Java System Application Server Enterprise Edition 7 2004Q2; Sun ONE Web Server 6.0; and Sun Java System Web Proxy Server 3.6. 11/16/06 - revised to note that Sun Alert ID: 102648 updated its Contributing Factors section, and to add a link to Sun Alert ID: 102686 for Java 2 Platform, Standard Edition 12/01/06 - revised to note that Sun Alert ID: 102648 updated its Contributing Factors section, and to add a link to Sun Alert ID: 102722 12/08/06 - revised to note that Sun Alert ID: 102657 updated its Resolution section and changed its State to "Resolved" 12/13/06 - updated to note that Sun Alert ID: 102648 updated its Contributing Factors section, and to also add a link to Sun Alert ID: 102744 for the Solaris 10 operating system 01/24/07 - revised to add a link to Hewlett-Packard's Subscription Service for HPSBUX02186 SSRT071299 rev. 1 for HP-UX B.11.11, B.11.23, B.11.31. 02/12/07 - revised to add a link to Red Hat RHSA-2007:0072-2 for Red Hat Enterprise Linux AS, ES, WS (v. 2.1). 04/19/07 - revised Q-304 to add a link to Hewlett-Packard HPSBTU02207 SSRT061213, SSRT061239, SSRT071304 rev. 1. 04/25/07 - revised Q-304 to add a link to Sun Alert ID: 102759 for Solaris 9 and 10 Operating System. [***** Start Red Hat RHSA-2006:0661-8 *****] Important: openssl security update Advisory: RHSA-2006:0661-8 Type: Security Advisory Issued on: 2006-09-06 Last updated on: 2006-09-06 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CVE-2006-4339 Details Updated OpenSSL packages are now available to correct a security issue. This update has been rated as having important security impact by the Red Hat Security Response Team. The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. The Google Security Team discovered that OpenSSL is vulnerable to this attack. This issue affects applications that use OpenSSL to verify X.509 certificates as well as other uses of PKCS #1 v1.5. (CVE-2006-4339) This errata also resolves a problem where a customized ca-bundle.crt file was overwritten when the openssl package was upgraded. Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Solution Users of Red Hat Enterprise Linux 2.1 may need to use the command "up2date openssl openssl095a openssl096" to install these updated packages on their systems. This is due to a conflict between Galeon and the recent Seamonkey update. We will provide updated Galeon packages to fix this conflict in a future erratum. Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-33.18.src.rpm 7931255997a1d848ce2a7005bc9e6b86 openssl096b-0.9.6b-16.43.src.rpm 3b6be5625565bb346d52fb6a5623d63d IA-32: openssl-0.9.7a-33.18.i386.rpm 6e0aad070d322d10c2d52791b9da9e33 openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-devel-0.9.7a-33.18.i386.rpm c628920238cff2b40b2c0858c4c47e00 openssl-perl-0.9.7a-33.18.i386.rpm e1b3654ce80d8bcfb16fa6e29aa8c2b2 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a x86_64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.x86_64.rpm 2794780bd750f59abf8b1a1a5ca7cc81 openssl-devel-0.9.7a-33.18.x86_64.rpm 12b7d2a240d5fd33f1814e2600aa30ae openssl-perl-0.9.7a-33.18.x86_64.rpm 473ef89363b88b74d80fa1dd285fe7b9 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.x86_64.rpm 02d32812e2b348d7ffacf91a5c91775d Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-43.11.src.rpm 513f9d07d6d6bc0ba7c6207937e54623 openssl096b-0.9.6b-22.43.src.rpm 5cb693bd507574dfd15ce06cedd87ddf IA-32: openssl-0.9.7a-43.11.i386.rpm bb2a2bdf02f86cabb4cffdcfb7a549ab openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-devel-0.9.7a-43.11.i386.rpm d0be647345ea50df30f8e2e63472b33c openssl-perl-0.9.7a-43.11.i386.rpm 56b168515a7de33a58e8010319cf9632 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e x86_64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.x86_64.rpm 555fc3ef8e135ab8f637e50975536cc2 openssl-devel-0.9.7a-43.11.x86_64.rpm 9fc39618899eead5b14d7ae433b84e2f openssl-perl-0.9.7a-43.11.x86_64.rpm bc291c59edffb66c6dd4a7db50929c8f openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.x86_64.rpm 368e81fde3b0d7d99eedb0576e24d579 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.6b-43.src.rpm 9c4e224d4d81207af0b89e368f18dc4e openssl095a-0.9.5a-29.src.rpm 9783a1849141d3f7239ca7380ca65c80 openssl096-0.9.6-29.src.rpm 84ba18ccae05d9cd15196b7097428720 IA-32: openssl-0.9.6b-43.i386.rpm 9546f50bcc58bdc77dbc553fddc15cae openssl-0.9.6b-43.i686.rpm 44e1a5814a8585403858e7b0efd459e9 openssl-devel-0.9.6b-43.i386.rpm c327293080363dc5b634c37412b97e03 openssl-perl-0.9.6b-43.i386.rpm c8321b57d63a633b18f778ed9c124058 openssl095a-0.9.5a-29.i386.rpm 222f84f8d36e67a4d0e3fc233d5a2b4e openssl096-0.9.6-29.i386.rpm 08b51e19ef3227b369d6a017dbddf8f8 IA-64: openssl-0.9.6b-43.ia64.rpm 42d7c7305a7c57bb9f20ae9784680589 openssl-devel-0.9.6b-43.ia64.rpm 691d93e0296e97596610419eb6d3ad4a openssl-perl-0.9.6b-43.ia64.rpm d5850aa9c7d3671610dde63bebff2642 openssl095a-0.9.5a-29.ia64.rpm 14f5eb8463137d39b9c80ebf5140f34a openssl096-0.9.6-29.ia64.rpm bf9b84dce7408a3cb6b06d736f03a4af Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-33.18.src.rpm 7931255997a1d848ce2a7005bc9e6b86 openssl096b-0.9.6b-16.43.src.rpm 3b6be5625565bb346d52fb6a5623d63d IA-32: openssl-0.9.7a-33.18.i386.rpm 6e0aad070d322d10c2d52791b9da9e33 openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-devel-0.9.7a-33.18.i386.rpm c628920238cff2b40b2c0858c4c47e00 openssl-perl-0.9.7a-33.18.i386.rpm e1b3654ce80d8bcfb16fa6e29aa8c2b2 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a IA-64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.ia64.rpm 14901c99907185c4bbe8b2c0e276427b openssl-devel-0.9.7a-33.18.ia64.rpm fcff948e8fc9685baff13d1d3801f202 openssl-perl-0.9.7a-33.18.ia64.rpm acaecb0841c5a7de3231cc15d5b68c21 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.ia64.rpm 56ac07e7577ccfbc08c1c0cda848e454 PPC: openssl-0.9.7a-33.18.ppc.rpm f9b728d0c51d36cff1c10bfbb96e857c openssl-0.9.7a-33.18.ppc64.rpm 640c4cba8094f18cfe1230af30060408 openssl-devel-0.9.7a-33.18.ppc.rpm 1fb4c48a10d2cceb58a638dfcca690ba openssl-perl-0.9.7a-33.18.ppc.rpm 0719de47a6d77500d8b57fba3c84cf29 openssl096b-0.9.6b-16.43.ppc.rpm c4c15926b9e6771b6cbc7bcb621d07ab s390: openssl-0.9.7a-33.18.s390.rpm 712cdf7448cd56f4086592ac99d9efd0 openssl-devel-0.9.7a-33.18.s390.rpm 11c69ed43437826d702db6bad93ad97a openssl-perl-0.9.7a-33.18.s390.rpm 051f9b48e2359ad0683bf6e968f9891c openssl096b-0.9.6b-16.43.s390.rpm 2090930263494a9145d6a37ee7ef2d1d s390x: openssl-0.9.7a-33.18.s390.rpm 712cdf7448cd56f4086592ac99d9efd0 openssl-0.9.7a-33.18.s390x.rpm 3f0695e5419f99424070eb2d33912d16 openssl-devel-0.9.7a-33.18.s390x.rpm cd7d012078096bae3317459e6b80161f openssl-perl-0.9.7a-33.18.s390x.rpm 17c5f5ee7d49a1ebc1e3d04127d3a363 openssl096b-0.9.6b-16.43.s390.rpm 2090930263494a9145d6a37ee7ef2d1d x86_64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.x86_64.rpm 2794780bd750f59abf8b1a1a5ca7cc81 openssl-devel-0.9.7a-33.18.x86_64.rpm 12b7d2a240d5fd33f1814e2600aa30ae openssl-perl-0.9.7a-33.18.x86_64.rpm 473ef89363b88b74d80fa1dd285fe7b9 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.x86_64.rpm 02d32812e2b348d7ffacf91a5c91775d Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-43.11.src.rpm 513f9d07d6d6bc0ba7c6207937e54623 openssl096b-0.9.6b-22.43.src.rpm 5cb693bd507574dfd15ce06cedd87ddf IA-32: openssl-0.9.7a-43.11.i386.rpm bb2a2bdf02f86cabb4cffdcfb7a549ab openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-devel-0.9.7a-43.11.i386.rpm d0be647345ea50df30f8e2e63472b33c openssl-perl-0.9.7a-43.11.i386.rpm 56b168515a7de33a58e8010319cf9632 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e IA-64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.ia64.rpm 56eed948b83ed31a4f1de958e2955a61 openssl-devel-0.9.7a-43.11.ia64.rpm 5248cae306e916fcf5abbfdd1d7298dc openssl-perl-0.9.7a-43.11.ia64.rpm 2531e237bc267743e361138e88db7a04 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.ia64.rpm 79be24a710203ffc87cab0bc3e231d63 PPC: openssl-0.9.7a-43.11.ppc.rpm cac5437c4d7060416c3a32fa5e31c26c openssl-0.9.7a-43.11.ppc64.rpm 2b2cd841eff757488d5044a236ce887b openssl-devel-0.9.7a-43.11.ppc.rpm ec77cf71b67e8659771f7c5f46170865 openssl-perl-0.9.7a-43.11.ppc.rpm 044e340c377e4c1802ba6605d6aefe30 openssl096b-0.9.6b-22.43.ppc.rpm efb205dcb0b4bc899c61dd50b259c16d s390: openssl-0.9.7a-43.11.s390.rpm 2a4e830e5436218f61e717796e83f578 openssl-devel-0.9.7a-43.11.s390.rpm d9df0e940141b967f35d8a2d4208118c openssl-perl-0.9.7a-43.11.s390.rpm ddf3a3c5db63df101812044a04f9fab6 openssl096b-0.9.6b-22.43.s390.rpm 9988eb45264b6d783850af7397856ae1 s390x: openssl-0.9.7a-43.11.s390.rpm 2a4e830e5436218f61e717796e83f578 openssl-0.9.7a-43.11.s390x.rpm 7b650ece5f5ff839af962b9d4a0f0c88 openssl-devel-0.9.7a-43.11.s390x.rpm 7018d29c78b8c372175809caca7716c5 openssl-perl-0.9.7a-43.11.s390x.rpm 2579a0b769724ae488ea42c19fcbc9de openssl096b-0.9.6b-22.43.s390.rpm 9988eb45264b6d783850af7397856ae1 x86_64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.x86_64.rpm 555fc3ef8e135ab8f637e50975536cc2 openssl-devel-0.9.7a-43.11.x86_64.rpm 9fc39618899eead5b14d7ae433b84e2f openssl-perl-0.9.7a-43.11.x86_64.rpm bc291c59edffb66c6dd4a7db50929c8f openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.x86_64.rpm 368e81fde3b0d7d99eedb0576e24d579 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.6b-43.src.rpm 9c4e224d4d81207af0b89e368f18dc4e IA-32: openssl-0.9.6b-43.i386.rpm 9546f50bcc58bdc77dbc553fddc15cae openssl-0.9.6b-43.i686.rpm 44e1a5814a8585403858e7b0efd459e9 openssl-devel-0.9.6b-43.i386.rpm c327293080363dc5b634c37412b97e03 openssl-perl-0.9.6b-43.i386.rpm c8321b57d63a633b18f778ed9c124058 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-33.18.src.rpm 7931255997a1d848ce2a7005bc9e6b86 openssl096b-0.9.6b-16.43.src.rpm 3b6be5625565bb346d52fb6a5623d63d IA-32: openssl-0.9.7a-33.18.i386.rpm 6e0aad070d322d10c2d52791b9da9e33 openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-devel-0.9.7a-33.18.i386.rpm c628920238cff2b40b2c0858c4c47e00 openssl-perl-0.9.7a-33.18.i386.rpm e1b3654ce80d8bcfb16fa6e29aa8c2b2 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a IA-64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.ia64.rpm 14901c99907185c4bbe8b2c0e276427b openssl-devel-0.9.7a-33.18.ia64.rpm fcff948e8fc9685baff13d1d3801f202 openssl-perl-0.9.7a-33.18.ia64.rpm acaecb0841c5a7de3231cc15d5b68c21 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.ia64.rpm 56ac07e7577ccfbc08c1c0cda848e454 x86_64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.x86_64.rpm 2794780bd750f59abf8b1a1a5ca7cc81 openssl-devel-0.9.7a-33.18.x86_64.rpm 12b7d2a240d5fd33f1814e2600aa30ae openssl-perl-0.9.7a-33.18.x86_64.rpm 473ef89363b88b74d80fa1dd285fe7b9 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.x86_64.rpm 02d32812e2b348d7ffacf91a5c91775d Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-43.11.src.rpm 513f9d07d6d6bc0ba7c6207937e54623 openssl096b-0.9.6b-22.43.src.rpm 5cb693bd507574dfd15ce06cedd87ddf IA-32: openssl-0.9.7a-43.11.i386.rpm bb2a2bdf02f86cabb4cffdcfb7a549ab openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-devel-0.9.7a-43.11.i386.rpm d0be647345ea50df30f8e2e63472b33c openssl-perl-0.9.7a-43.11.i386.rpm 56b168515a7de33a58e8010319cf9632 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e IA-64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.ia64.rpm 56eed948b83ed31a4f1de958e2955a61 openssl-devel-0.9.7a-43.11.ia64.rpm 5248cae306e916fcf5abbfdd1d7298dc openssl-perl-0.9.7a-43.11.ia64.rpm 2531e237bc267743e361138e88db7a04 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.ia64.rpm 79be24a710203ffc87cab0bc3e231d63 x86_64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.x86_64.rpm 555fc3ef8e135ab8f637e50975536cc2 openssl-devel-0.9.7a-43.11.x86_64.rpm 9fc39618899eead5b14d7ae433b84e2f openssl-perl-0.9.7a-43.11.x86_64.rpm bc291c59edffb66c6dd4a7db50929c8f openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.x86_64.rpm 368e81fde3b0d7d99eedb0576e24d579 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.6b-43.src.rpm 9c4e224d4d81207af0b89e368f18dc4e IA-32: openssl-0.9.6b-43.i386.rpm 9546f50bcc58bdc77dbc553fddc15cae openssl-0.9.6b-43.i686.rpm 44e1a5814a8585403858e7b0efd459e9 openssl-devel-0.9.6b-43.i386.rpm c327293080363dc5b634c37412b97e03 openssl-perl-0.9.6b-43.i386.rpm c8321b57d63a633b18f778ed9c124058 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-33.18.src.rpm 7931255997a1d848ce2a7005bc9e6b86 openssl096b-0.9.6b-16.43.src.rpm 3b6be5625565bb346d52fb6a5623d63d IA-32: openssl-0.9.7a-33.18.i386.rpm 6e0aad070d322d10c2d52791b9da9e33 openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-devel-0.9.7a-33.18.i386.rpm c628920238cff2b40b2c0858c4c47e00 openssl-perl-0.9.7a-33.18.i386.rpm e1b3654ce80d8bcfb16fa6e29aa8c2b2 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a IA-64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.ia64.rpm 14901c99907185c4bbe8b2c0e276427b openssl-devel-0.9.7a-33.18.ia64.rpm fcff948e8fc9685baff13d1d3801f202 openssl-perl-0.9.7a-33.18.ia64.rpm acaecb0841c5a7de3231cc15d5b68c21 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.ia64.rpm 56ac07e7577ccfbc08c1c0cda848e454 x86_64: openssl-0.9.7a-33.18.i686.rpm ac5c706e41e44d719eed51f218b14713 openssl-0.9.7a-33.18.x86_64.rpm 2794780bd750f59abf8b1a1a5ca7cc81 openssl-devel-0.9.7a-33.18.x86_64.rpm 12b7d2a240d5fd33f1814e2600aa30ae openssl-perl-0.9.7a-33.18.x86_64.rpm 473ef89363b88b74d80fa1dd285fe7b9 openssl096b-0.9.6b-16.43.i386.rpm 625a6a769cc075e8cc7826f3924a397a openssl096b-0.9.6b-16.43.x86_64.rpm 02d32812e2b348d7ffacf91a5c91775d Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: openssl-0.9.7a-43.11.src.rpm 513f9d07d6d6bc0ba7c6207937e54623 openssl096b-0.9.6b-22.43.src.rpm 5cb693bd507574dfd15ce06cedd87ddf IA-32: openssl-0.9.7a-43.11.i386.rpm bb2a2bdf02f86cabb4cffdcfb7a549ab openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-devel-0.9.7a-43.11.i386.rpm d0be647345ea50df30f8e2e63472b33c openssl-perl-0.9.7a-43.11.i386.rpm 56b168515a7de33a58e8010319cf9632 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e IA-64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.ia64.rpm 56eed948b83ed31a4f1de958e2955a61 openssl-devel-0.9.7a-43.11.ia64.rpm 5248cae306e916fcf5abbfdd1d7298dc openssl-perl-0.9.7a-43.11.ia64.rpm 2531e237bc267743e361138e88db7a04 openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.ia64.rpm 79be24a710203ffc87cab0bc3e231d63 x86_64: openssl-0.9.7a-43.11.i686.rpm 68435a368c5e4a16bea0e9490071e4e6 openssl-0.9.7a-43.11.x86_64.rpm 555fc3ef8e135ab8f637e50975536cc2 openssl-devel-0.9.7a-43.11.x86_64.rpm 9fc39618899eead5b14d7ae433b84e2f openssl-perl-0.9.7a-43.11.x86_64.rpm bc291c59edffb66c6dd4a7db50929c8f openssl096b-0.9.6b-22.43.i386.rpm 9602f5a7a448051483fae33fdc37588e openssl096b-0.9.6b-22.43.x86_64.rpm 368e81fde3b0d7d99eedb0576e24d579 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: openssl-0.9.6b-43.src.rpm 9c4e224d4d81207af0b89e368f18dc4e openssl095a-0.9.5a-29.src.rpm 9783a1849141d3f7239ca7380ca65c80 openssl096-0.9.6-29.src.rpm 84ba18ccae05d9cd15196b7097428720 IA-64: openssl-0.9.6b-43.ia64.rpm 42d7c7305a7c57bb9f20ae9784680589 openssl-devel-0.9.6b-43.ia64.rpm 691d93e0296e97596610419eb6d3ad4a openssl-perl-0.9.6b-43.ia64.rpm d5850aa9c7d3671610dde63bebff2642 openssl095a-0.9.5a-29.ia64.rpm 14f5eb8463137d39b9c80ebf5140f34a openssl096-0.9.6-29.ia64.rpm bf9b84dce7408a3cb6b06d736f03a4af (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 170740 - Custom ca-bundle.crt overwritten on upgrade 175811 - Custom ca-bundle.crt overwritten on upgrade 205180 - CVE-2006-4339 RSA signature forgery References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html http://www.openssl.org/news/secadv_20060905.txt http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2006:0661-8 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-295: ImageMagick Security Update Q-296: HP OpenView Storage Data Protector Q-297: Cisco Unintentional Password Modification Vulnerability in Cisco Firewall Products Q-298: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities Q-299: VMware ESX Server 2.5.3 Upgrade Patch 2 Q-300: Security Vulnerability in the Sun Java System Content Delivery Server Q-301: pkgadd(1M) May Set Incorrect Permissions Q-302: mysql-dfsg-4.1 CIACTech06-001: Protecting Against SQL Injection Attacks Q-303: Multiple DoS Vulnerabilities in the BIND 9 Software