Detections
Analytics
Scientific Linux Security Update : openssl on SL5.x i386/x86_64
medium Nessus Plugin ID 60725
Language:
Synopsis
The remote Scientific Linux host is missing one or more security updates.Description
CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS)
It was found that the OpenSSL library did not properly re-initialize its internal state in the SSL_library_init() function after previous calls to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak for each subsequent SSL connection. This flaw could cause server applications that call those functions during reload, such as a combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available memory, resulting in a denial of service. (CVE-2009-4355)
Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409)
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Solution
Update the affected openssl, openssl-devel and / or openssl-perl packages.See Also
Plugin Details
Severity: Medium
ID: 60725
File Name: sl_20100119_openssl_on_SL5_x.nasl
Version: 1.7
Type: local
Agent: unix
Published: 8/1/2012
Updated: 1/14/2021
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 5.1
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: x-cpe:/o:fermilab:scientific_linux
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Patch Publication Date: 1/19/2010
Reference Information
CVE: CVE-2009-2409, CVE-2009-4355