Scientific Linux Security Update : openssl on SL5.x i386/x86_64

medium Nessus Plugin ID 60725
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)

CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS)

It was found that the OpenSSL library did not properly re-initialize its internal state in the SSL_library_init() function after previous calls to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak for each subsequent SSL connection. This flaw could cause server applications that call those functions during reload, such as a combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available memory, resulting in a denial of service. (CVE-2009-4355)

Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409)

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

Solution

Update the affected openssl, openssl-devel and / or openssl-perl packages.

See Also

http://www.nessus.org/u?802f5323

Plugin Details

Severity: Medium

ID: 60725

File Name: sl_20100119_openssl_on_SL5_x.nasl

Version: 1.7

Type: local

Agent: unix

Published: 8/1/2012

Updated: 1/14/2021

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 6.7

CVSS v2.0

Base Score: 5.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 1/19/2010

Reference Information

CVE: CVE-2009-2409, CVE-2009-4355

CWE: 310, 399