RHEL 2.1 : openssl (RHSA-2004:119)

medium Nessus Plugin ID 12479
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Updated OpenSSL packages that fix a remote denial of service vulnerability are now available for Red Hat Enterprise Linux 2.1.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that can lead to a denial of service attack (infinite loop).
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0081 to this issue.

Testing performed by Novell using a test suite provided by NISCC uncovered an issue in the ASN.1 parser in versions of OpenSSL 0.9.6 prior to 0.9.6l which could cause large recursion and possibly lead to a denial of service attack if used where stack space is limited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0851 to this issue.

These updated packages contain patches provided by the OpenSSL group that protect against these issues.

NOTE: Because server applications are affected by this issue, users are advised to either restart all services using OpenSSL functionality or restart their system after installing these updated packages.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/cve/cve-2003-0851

https://access.redhat.com/security/cve/cve-2004-0081

http://www.codenomicon.com/testtools/tls/

http://www.cpni.gov.uk/

https://access.redhat.com/errata/RHSA-2004:119

Plugin Details

Severity: Medium

ID: 12479

File Name: redhat-RHSA-2004-119.nasl

Version: 1.28

Type: local

Agent: unix

Published: 7/6/2004

Updated: 1/14/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.3

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:openssl, p-cpe:/a:redhat:enterprise_linux:openssl-devel, p-cpe:/a:redhat:enterprise_linux:openssl-perl, p-cpe:/a:redhat:enterprise_linux:openssl095a, p-cpe:/a:redhat:enterprise_linux:openssl096, cpe:/o:redhat:enterprise_linux:2.1

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/17/2004

Vulnerability Publication Date: 12/1/2003

Reference Information

CVE: CVE-2003-0851, CVE-2004-0081

BID: 8970, 9899

RHSA: 2004:119