Scientific Linux Security Update : openssl on SL5.x i386/x86_64

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)

CVE-2009-4355 openssl significant memory leak in certain SSLv3
requests (DoS)

It was found that the OpenSSL library did not properly re-initialize
its internal state in the SSL_library_init() function after previous
calls to the CRYPTO_cleanup_all_ex_data() function, which would cause
a memory leak for each subsequent SSL connection. This flaw could
cause server applications that call those functions during reload,
such as a combination of the Apache HTTP Server, mod_ssl, PHP, and
cURL, to consume all available memory, resulting in a denial of
service. (CVE-2009-4355)

Dan Kaminsky found that browsers could accept certificates with MD2
hash signatures, even though MD2 is no longer considered a
cryptographically strong algorithm. This could make it easier for an
attacker to create a malicious certificate that would be treated as
trusted by a browser. OpenSSL now disables the use of the MD2
algorithm inside signatures by default. (CVE-2009-2409)

For the update to take effect, all services linked to the OpenSSL
library must be restarted, or the system rebooted.

See also :

http://www.nessus.org/u?259095c2

Solution :

Update the affected openssl, openssl-devel and / or openssl-perl
packages.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60725 ()

Bugtraq ID:

CVE ID: CVE-2009-2409
CVE-2009-4355