RHEL 5 : openssl097a (RHSA-2010:0164)

Medium Nessus Plugin ID 46275


The remote Red Hat host is missing a security update.


Updated openssl097a packages that fix a security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746.

Refer to the following Knowledgebase article for additional details about this flaw: http://kbase.redhat.com/faq/docs/DOC-20491

All openssl097a users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the openssl097a library must be restarted, or the system rebooted.


Update the affected openssl097a package.

See Also





Plugin Details

Severity: Medium

ID: 46275

File Name: redhat-RHSA-2010-0164.nasl

Version: $Revision: 1.16 $

Type: local

Agent: unix

Published: 2010/05/11

Modified: 2017/01/04

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:openssl097a, cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:5.4

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2010/03/25

Reference Information

CVE: CVE-2009-3555

OSVDB: 59971

RHSA: 2010:0164

CWE: 310