Scientific Linux Security Update : openssl on SL5.x i386/x86_64
Medium Nessus Plugin ID 60725
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionCVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS)
It was found that the OpenSSL library did not properly re-initialize its internal state in the SSL_library_init() function after previous calls to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak for each subsequent SSL connection. This flaw could cause server applications that call those functions during reload, such as a combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available memory, resulting in a denial of service. (CVE-2009-4355)
Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409)
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
SolutionUpdate the affected openssl, openssl-devel and / or openssl-perl packages.