ID

VAR-201406-0445

CVE

CVE-2014-0224

TITLE

OpenSSL is vulnerable to a man-in-the-middle attack

DESCRIPTION

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. OpenSSL is vulnerable to a man-in-the-middle attack. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. This is the Bash Shell vulnerability known as "Shellshock" which could be exploited remotely to allow execution of code. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. References: CVE-2014-0224 CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 SSRT101765 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Customers who need to upgrade the firmware of their Superdome X or HP Converged System 900 for SAP HANA should contact HP Technical Support to obtain the firmware or plan to schedule an onsite visit with an HP Services field service professional. NOTE: HP strongly recommends implementing the following security best practices to help reduce both known and future security vulnerability risks: Isolate the HP Superdome X or HP Converged System 900 for SAP HANA's management network by keeping it separate from the data or production network, and not connecting it directly to the Internet without additional access authentication. Patch and maintain Lightweight Directory Access Protocol (LDAP) and web servers. Use virus scanners, intrusion detection/prevention systems (IDS/IPS), and vulnerability scanners regularly. Apply all recommended HP Firmware updates. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1h-i486-1_slack14.1.txz: Upgraded. Multiple security issues have been corrected, including a possible man-in-the-middle attack where weak keying material is forced, denial of service, and the execution of arbitrary code. +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8za-i486-1_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8za-i486-1_slack13.0.txz Updated packages for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8za-x86_64-1_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8za-x86_64-1_slack13.0.txz Updated packages for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8za-i486-1_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8za-i486-1_slack13.1.txz Updated packages for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8za-x86_64-1_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8za-x86_64-1_slack13.1.txz Updated packages for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8za-i486-1_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8za-i486-1_slack13.37.txz Updated packages for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8za-x86_64-1_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8za-x86_64-1_slack13.37.txz Updated packages for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1h-i486-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1h-i486-1_slack14.0.txz Updated packages for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1h-x86_64-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1h-x86_64-1_slack14.0.txz Updated packages for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1h-i486-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1h-i486-1_slack14.1.txz Updated packages for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1h-x86_64-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1h-x86_64-1_slack14.1.txz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1h-i486-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1h-i486-1.txz Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1h-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1h-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 packages: 634b8ecc8abc6d3f249b73d0fefa5959 openssl-0.9.8za-i486-1_slack13.0.txz a2529f1243d42a3608f61b96236b5f60 openssl-solibs-0.9.8za-i486-1_slack13.0.txz Slackware x86_64 13.0 packages: 2ddac651c5f2531f3a7f70d9f5823bd6 openssl-0.9.8za-x86_64-1_slack13.0.txz d7ffeb15713a587f642fbb3d5c310c75 openssl-solibs-0.9.8za-x86_64-1_slack13.0.txz Slackware 13.1 packages: 0b84a6a1edf76cba83d4c52c54196baa openssl-0.9.8za-i486-1_slack13.1.txz dfd5d241b0e1703ae9d70d6ccda06179 openssl-solibs-0.9.8za-i486-1_slack13.1.txz Slackware x86_64 13.1 packages: bd749622577a5f76a59d90b95aa922fd openssl-0.9.8za-x86_64-1_slack13.1.txz 35cf911dd9f0cc13f7f0056d9e1f4520 openssl-solibs-0.9.8za-x86_64-1_slack13.1.txz Slackware 13.37 packages: 8f674defac9002c81265d284b1072f75 openssl-0.9.8za-i486-1_slack13.37.txz 48ce79e7714cb0c823d2b6ea4a88ba51 openssl-solibs-0.9.8za-i486-1_slack13.37.txz Slackware x86_64 13.37 packages: efa09162c22782c15806bca99472c5be openssl-0.9.8za-x86_64-1_slack13.37.txz 8e3b8d1e3d3a740bd274fbe38dc10f96 openssl-solibs-0.9.8za-x86_64-1_slack13.37.txz Slackware 14.0 packages: 8e2698d19f54c7e0cac8f998df23b782 openssl-1.0.1h-i486-1_slack14.0.txz cf6233bc169cf6dd192bb7210f779fc1 openssl-solibs-1.0.1h-i486-1_slack14.0.txz Slackware x86_64 14.0 packages: 2b4f0610d5e46fa7bb27a0b39f0d6d33 openssl-1.0.1h-x86_64-1_slack14.0.txz 18fdd83dcf86204275508a689a017dea openssl-solibs-1.0.1h-x86_64-1_slack14.0.txz Slackware 14.1 packages: 49aea7da42eef41da894f29762971863 openssl-1.0.1h-i486-1_slack14.1.txz 6f19f4fdc3f018b4e821c519d7bb1e5c openssl-solibs-1.0.1h-i486-1_slack14.1.txz Slackware x86_64 14.1 packages: ccf5ff2b107c665a4f3bf98176937749 openssl-1.0.1h-x86_64-1_slack14.1.txz ea1aaba38c98b096186ca94ca541a793 openssl-solibs-1.0.1h-x86_64-1_slack14.1.txz Slackware -current packages: db1ed7ded71ab503f567940fff39eb16 a/openssl-solibs-1.0.1h-i486-1.txz 0db4f91f9b568b2b2629950e5ab88b22 n/openssl-1.0.1h-i486-1.txz Slackware x86_64 -current packages: d01aef33335bee27f36574241f54091f a/openssl-solibs-1.0.1h-x86_64-1.txz 95a743d21c58f39573845d6ec5270656 n/openssl-1.0.1h-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg openssl-1.0.1h-i486-1_slack14.1.txz openssl-solibs-1.0.1h-i486-1_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Release Date: 2014-08-08 Last Updated: 2014-08-08 Potential Security Impact: Remote denial of service (DoS), code execution, unauthorized access, disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH), HP Smart Update Manager (SUM), and HP Version Control Agent (VCA) running on Linux and Windows. These components of HP Insight Control server deployment could be exploited remotely resulting in denial of service (DoS), code execution, unauthorized access, or disclosure of information. HP Insight Control server deployment packages HP System Management Homepage (SMH) and HP Version Control Agent (VCA), and HP Smart Update Manager (SUM) and deploys them through the following components. This bulletin provides the information needed to update the HP Insight Control server deployment solution. Install HP Management Agents for Windows x86/x64 Install HP Management Agents for RHEL 5 x64 Install HP Management Agents for RHEL 6 x64 Install HP Management Agents for SLES 10 x64 Install HP Management Agents for SLES 11 x64 Upgrade Proliant Firmware References: CVE-2010-5298 Remote Denial of Service CVE-2014-0076 Unauthorized Disclosure of Information CVE-2014-0195 Remote Unauthorized Access CVE-2014-0198 Remote Denial of Service CVE-2014-0221 Remote Denial of Service (DoS) CVE-2014-0224 Remote Unauthorized Access or Disclosure of Information CVE-2014-3470 Remote Code Execution or Unauthorized Access SSRT101628 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, v7.2.2, v7.3.1 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-5298 (AV:N/AC:H/Au:N/C:N/I:P/A:P) 4.0 CVE-2014-0076 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-0195 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-0198 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-0221 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-0224 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-3470 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following updates to v7.3.1 of HP Insight Control server deployment to resolve this vulnerability. HP has provided manual update steps if a version upgrade is not possible; if users wish to remain at v7.1.2, v7.2.0, or v7.2.1. Note: It is important to check your current running version of HP Insight Control server deployment and to follow the correct steps listed below. For HP Insight Control server deployment v7.2.2, users must upgrade to v7.3.1 and follow the steps below to remove the vulnerability. The vulnerability known as Heartbleed (CVE-2014-0160) was fixed in HP Insight Control server deployment v7.3.1. That Security Bulletin with instructions on how to upgrade to v7.3.1 can be found here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n a-c04267749 HP Insight Control server deployment users of v7.1.2, v7.2.0, v7.2.1 should take the following steps to remove this vulnerability. Delete the files smhamd64-*.exe/smhx86-*.exe" from Component Copy Location listed in the following table, rows 1 and 2. Delete the files "vcax86-*.exe/vcaamd64-*.exe from Component Copy Location listed in the following table, rows 3 and 4. Delete the files hpsmh-7.*.rpm" from Component Copy Location listed in row 5. In sequence, perform the steps from left to right in the following table. First, download components from Download Link; Second, rename the component as suggested in Rename to. Third, copy the component to the location specified in Component Copy Location. Table Row Number Download Link Rename to Component Copy Location 1 http://www.hp.com/swpublishing/MTX-e8076c2a35804685ad65b2b1ba smhamd64-ccp023716.exe \\express\hpfeatures\hpagents-ws\components\Win2008 2 http://www.hp.com/swpublishing/MTX-3395d737d98f42149125b9bb05 smhx86-cp023715.exe \\express\hpfeatures\hpagents-ws\components\Win2008 3 http://www.hp.com/swpublishing/MTX-8aefeaf490284a7691eca97d13 vcax86-cp023742.exe \\express\hpfeatures\hpagents-ws\components\Win2008 4 http://www.hp.com/swpublishing/MTX-c0d32bac154a4d93839d8cd1f2 vcaamd64-cp023743.exe \\express\hpfeatures\hpagents-ws\components\Win2008 5 http://www.hp.com/swpublishing/MTX-bd9a1cf60e344c549c4888db93 Do not rename the downloaded component for this step. \\express\hpfeatures\hpagents-sles11-x64\components \\express\hpfeatures\hpagents-sles10-x64\components \\express\hpfeatures\hpagents-rhel5-x64\components \\express\hpfeatures\hpagents-rhel6-x64\components Download and extract the HPSUM 5.3.6 component from ftp://ftp.hp.com/pub/softlib2/software1/pubsw-windows/p750586112/v99793 Copy all content from extracted ZIP folder and paste into \\eXpress\hpfeatures\fw-proLiant\components Initiate Install HP Management Agents for SLES 11 x64 on targets running SLES11 x64. Initiate Install HP Management Agents for SLES 10 x64 on targets running SLES10 x64. Initiate Install HP Management Agents for RHEL 6 x64 on targets running RHEL 6 x64. Initiate Install HP Management Agents for RHEL 5 x64 on targets running RHEL 5 x64. Initiate Install HP Management Agents for Windows x86/x64 on targets running Windows. HP Insight Control server deployment users with v7.2.2: Please upgrade to Insight Control server deployment v7.3.1 and follow the steps below for v7.3.1. HP Insight Control server deployment users with v7.3.1: Perform steps 1 - 4 as outlined above for users with HP Insight Control server deployment v7.1.2, v7.2.0, and v7.2.1. Download the HP SUM ZIP file from http://www.hp.com/swpublishing/MTX-f6c141a7feeb4a358bbb28300f Extract the contents from the HP SUM ZIP file to \\eXpress\hpfeatures\fw-proLiant\components location on the Insight Control server deployment server Related security bulletins: For System Management Homepage please see Security bulletin HPSBMU03051 https ://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04 345210 For HP Version Control Agent please see Security bulletin HPSBMU03057 https:/ /h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c0434 9897 HISTORY Version:1 (rev.1) - 8 August 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Relevant releases/architectures: RHEV Hypervisor for RHEL-6 - noarch 3. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. A privileged guest user could use this flaw to crash the host or corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. The CVE-2014-0077 issue was discovered by Michael S. This updated package provides updated components that include fixes for various security issues. The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack (CVE-2014-0076). The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment (CVE-2014-0195). The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition (CVE-2014-0198). The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value (CVE-2014-3470). Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message (CVE-2014-3513). The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue (CVE-2014-3566). Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure (CVE-2014-3567). The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix (CVE-2014-3569). The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c (CVE-2014-3570). OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c (CVE-2014-3571). The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message (CVE-2014-3572). OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate&#039;s unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c (CVE-2014-8275). The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the FREAK issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations (CVE-2015-0204). Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection (CVE-2015-0206). Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import (CVE-2015-0209). The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature (CVE-2015-0286). The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse (CVE-2015-0287). The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289). The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message (CVE-2015-0293). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293 http://openssl.org/news/secadv_20150108.txt http://openssl.org/news/secadv_20150319.txt _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 324a85f7e1165ab02881e44dbddaf599 mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm 9c0bfb6ebd43cb6d81872abf71b4f85f mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm 58df54e72ca7270210c7d8dd23df402b mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm b5313ffb5baaa65aea05eb05486d309a mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm a9890ce4c33630cb9e00f3b2910dd784 mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm 521297a5fe26e2de0c1222d8d03382d1 mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS kz0ex6eI6hA6qSwklA2NoXY= =GYjX -----END PGP SIGNATURE----- . 7) - x86_64 3. (CVE-2014-0195) Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. (CVE-2014-0221) A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2014:0627-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0627.html Issue date: 2014-06-05 CVE Names: CVE-2014-0224 ===================================================================== 1. Summary: Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.3 and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 Red Hat Enterprise Linux EUS (v. 5.9 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux LL (v. 5.6 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Package List: Red Hat Enterprise Linux AS (v. 4 ELS): Source: openssl-0.9.7a-43.22.el4.src.rpm i386: openssl-0.9.7a-43.22.el4.i386.rpm openssl-0.9.7a-43.22.el4.i686.rpm openssl-debuginfo-0.9.7a-43.22.el4.i386.rpm openssl-debuginfo-0.9.7a-43.22.el4.i686.rpm openssl-devel-0.9.7a-43.22.el4.i386.rpm openssl-perl-0.9.7a-43.22.el4.i386.rpm ia64: openssl-0.9.7a-43.22.el4.i686.rpm openssl-0.9.7a-43.22.el4.ia64.rpm openssl-debuginfo-0.9.7a-43.22.el4.i686.rpm openssl-debuginfo-0.9.7a-43.22.el4.ia64.rpm openssl-devel-0.9.7a-43.22.el4.ia64.rpm openssl-perl-0.9.7a-43.22.el4.ia64.rpm x86_64: openssl-0.9.7a-43.22.el4.i686.rpm openssl-0.9.7a-43.22.el4.x86_64.rpm openssl-debuginfo-0.9.7a-43.22.el4.i386.rpm openssl-debuginfo-0.9.7a-43.22.el4.i686.rpm openssl-debuginfo-0.9.7a-43.22.el4.x86_64.rpm openssl-devel-0.9.7a-43.22.el4.i386.rpm openssl-devel-0.9.7a-43.22.el4.x86_64.rpm openssl-perl-0.9.7a-43.22.el4.x86_64.rpm Red Hat Enterprise Linux ES (v. 4 ELS): Source: openssl-0.9.7a-43.22.el4.src.rpm i386: openssl-0.9.7a-43.22.el4.i386.rpm openssl-0.9.7a-43.22.el4.i686.rpm openssl-debuginfo-0.9.7a-43.22.el4.i386.rpm openssl-debuginfo-0.9.7a-43.22.el4.i686.rpm openssl-devel-0.9.7a-43.22.el4.i386.rpm openssl-perl-0.9.7a-43.22.el4.i386.rpm x86_64: openssl-0.9.7a-43.22.el4.i686.rpm openssl-0.9.7a-43.22.el4.x86_64.rpm openssl-debuginfo-0.9.7a-43.22.el4.i386.rpm openssl-debuginfo-0.9.7a-43.22.el4.i686.rpm openssl-debuginfo-0.9.7a-43.22.el4.x86_64.rpm openssl-devel-0.9.7a-43.22.el4.i386.rpm openssl-devel-0.9.7a-43.22.el4.x86_64.rpm openssl-perl-0.9.7a-43.22.el4.x86_64.rpm Red Hat Enterprise Linux LL (v. 5.6 server): Source: openssl-0.9.8e-12.el5_6.12.src.rpm i386: openssl-0.9.8e-12.el5_6.12.i386.rpm openssl-0.9.8e-12.el5_6.12.i686.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.i386.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.i686.rpm openssl-devel-0.9.8e-12.el5_6.12.i386.rpm openssl-perl-0.9.8e-12.el5_6.12.i386.rpm ia64: openssl-0.9.8e-12.el5_6.12.i686.rpm openssl-0.9.8e-12.el5_6.12.ia64.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.i686.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.ia64.rpm openssl-devel-0.9.8e-12.el5_6.12.ia64.rpm openssl-perl-0.9.8e-12.el5_6.12.ia64.rpm x86_64: openssl-0.9.8e-12.el5_6.12.i686.rpm openssl-0.9.8e-12.el5_6.12.x86_64.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.i386.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.i686.rpm openssl-debuginfo-0.9.8e-12.el5_6.12.x86_64.rpm openssl-devel-0.9.8e-12.el5_6.12.i386.rpm openssl-devel-0.9.8e-12.el5_6.12.x86_64.rpm openssl-perl-0.9.8e-12.el5_6.12.x86_64.rpm Red Hat Enterprise Linux EUS (v. 5.9 server): Source: openssl-0.9.8e-26.el5_9.4.src.rpm i386: openssl-0.9.8e-26.el5_9.4.i386.rpm openssl-0.9.8e-26.el5_9.4.i686.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.i386.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.i686.rpm openssl-devel-0.9.8e-26.el5_9.4.i386.rpm openssl-perl-0.9.8e-26.el5_9.4.i386.rpm ia64: openssl-0.9.8e-26.el5_9.4.i686.rpm openssl-0.9.8e-26.el5_9.4.ia64.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.i686.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.ia64.rpm openssl-devel-0.9.8e-26.el5_9.4.ia64.rpm openssl-perl-0.9.8e-26.el5_9.4.ia64.rpm ppc: openssl-0.9.8e-26.el5_9.4.ppc.rpm openssl-0.9.8e-26.el5_9.4.ppc64.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.ppc.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.ppc64.rpm openssl-devel-0.9.8e-26.el5_9.4.ppc.rpm openssl-devel-0.9.8e-26.el5_9.4.ppc64.rpm openssl-perl-0.9.8e-26.el5_9.4.ppc.rpm s390x: openssl-0.9.8e-26.el5_9.4.s390.rpm openssl-0.9.8e-26.el5_9.4.s390x.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.s390.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.s390x.rpm openssl-devel-0.9.8e-26.el5_9.4.s390.rpm openssl-devel-0.9.8e-26.el5_9.4.s390x.rpm openssl-perl-0.9.8e-26.el5_9.4.s390x.rpm x86_64: openssl-0.9.8e-26.el5_9.4.i686.rpm openssl-0.9.8e-26.el5_9.4.x86_64.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.i386.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.i686.rpm openssl-debuginfo-0.9.8e-26.el5_9.4.x86_64.rpm openssl-devel-0.9.8e-26.el5_9.4.i386.rpm openssl-devel-0.9.8e-26.el5_9.4.x86_64.rpm openssl-perl-0.9.8e-26.el5_9.4.x86_64.rpm Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: openssl-1.0.0-25.el6_3.3.src.rpm x86_64: openssl-1.0.0-25.el6_3.3.i686.rpm openssl-1.0.0-25.el6_3.3.x86_64.rpm openssl-debuginfo-1.0.0-25.el6_3.3.i686.rpm openssl-debuginfo-1.0.0-25.el6_3.3.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: openssl-1.0.0-27.el6_4.4.src.rpm x86_64: openssl-1.0.0-27.el6_4.4.i686.rpm openssl-1.0.0-27.el6_4.4.x86_64.rpm openssl-debuginfo-1.0.0-27.el6_4.4.i686.rpm openssl-debuginfo-1.0.0-27.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3): Source: openssl-1.0.0-25.el6_3.3.src.rpm x86_64: openssl-debuginfo-1.0.0-25.el6_3.3.i686.rpm openssl-debuginfo-1.0.0-25.el6_3.3.x86_64.rpm openssl-devel-1.0.0-25.el6_3.3.i686.rpm openssl-devel-1.0.0-25.el6_3.3.x86_64.rpm openssl-perl-1.0.0-25.el6_3.3.x86_64.rpm openssl-static-1.0.0-25.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: openssl-1.0.0-27.el6_4.4.src.rpm x86_64: openssl-debuginfo-1.0.0-27.el6_4.4.i686.rpm openssl-debuginfo-1.0.0-27.el6_4.4.x86_64.rpm openssl-devel-1.0.0-27.el6_4.4.i686.rpm openssl-devel-1.0.0-27.el6_4.4.x86_64.rpm openssl-perl-1.0.0-27.el6_4.4.x86_64.rpm openssl-static-1.0.0-27.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: openssl-1.0.0-25.el6_3.3.src.rpm i386: openssl-1.0.0-25.el6_3.3.i686.rpm openssl-debuginfo-1.0.0-25.el6_3.3.i686.rpm openssl-devel-1.0.0-25.el6_3.3.i686.rpm ppc64: openssl-1.0.0-25.el6_3.3.ppc.rpm openssl-1.0.0-25.el6_3.3.ppc64.rpm openssl-debuginfo-1.0.0-25.el6_3.3.ppc.rpm openssl-debuginfo-1.0.0-25.el6_3.3.ppc64.rpm openssl-devel-1.0.0-25.el6_3.3.ppc.rpm openssl-devel-1.0.0-25.el6_3.3.ppc64.rpm s390x: openssl-1.0.0-25.el6_3.3.s390.rpm openssl-1.0.0-25.el6_3.3.s390x.rpm openssl-debuginfo-1.0.0-25.el6_3.3.s390.rpm openssl-debuginfo-1.0.0-25.el6_3.3.s390x.rpm openssl-devel-1.0.0-25.el6_3.3.s390.rpm openssl-devel-1.0.0-25.el6_3.3.s390x.rpm x86_64: openssl-1.0.0-25.el6_3.3.i686.rpm openssl-1.0.0-25.el6_3.3.x86_64.rpm openssl-debuginfo-1.0.0-25.el6_3.3.i686.rpm openssl-debuginfo-1.0.0-25.el6_3.3.x86_64.rpm openssl-devel-1.0.0-25.el6_3.3.i686.rpm openssl-devel-1.0.0-25.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: openssl-1.0.0-27.el6_4.4.src.rpm i386: openssl-1.0.0-27.el6_4.4.i686.rpm openssl-debuginfo-1.0.0-27.el6_4.4.i686.rpm openssl-devel-1.0.0-27.el6_4.4.i686.rpm ppc64: openssl-1.0.0-27.el6_4.4.ppc.rpm openssl-1.0.0-27.el6_4.4.ppc64.rpm openssl-debuginfo-1.0.0-27.el6_4.4.ppc.rpm openssl-debuginfo-1.0.0-27.el6_4.4.ppc64.rpm openssl-devel-1.0.0-27.el6_4.4.ppc.rpm openssl-devel-1.0.0-27.el6_4.4.ppc64.rpm s390x: openssl-1.0.0-27.el6_4.4.s390.rpm openssl-1.0.0-27.el6_4.4.s390x.rpm openssl-debuginfo-1.0.0-27.el6_4.4.s390.rpm openssl-debuginfo-1.0.0-27.el6_4.4.s390x.rpm openssl-devel-1.0.0-27.el6_4.4.s390.rpm openssl-devel-1.0.0-27.el6_4.4.s390x.rpm x86_64: openssl-1.0.0-27.el6_4.4.i686.rpm openssl-1.0.0-27.el6_4.4.x86_64.rpm openssl-debuginfo-1.0.0-27.el6_4.4.i686.rpm openssl-debuginfo-1.0.0-27.el6_4.4.x86_64.rpm openssl-devel-1.0.0-27.el6_4.4.i686.rpm openssl-devel-1.0.0-27.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: openssl-1.0.0-25.el6_3.3.src.rpm i386: openssl-debuginfo-1.0.0-25.el6_3.3.i686.rpm openssl-perl-1.0.0-25.el6_3.3.i686.rpm openssl-static-1.0.0-25.el6_3.3.i686.rpm ppc64: openssl-debuginfo-1.0.0-25.el6_3.3.ppc64.rpm openssl-perl-1.0.0-25.el6_3.3.ppc64.rpm openssl-static-1.0.0-25.el6_3.3.ppc64.rpm s390x: openssl-debuginfo-1.0.0-25.el6_3.3.s390x.rpm openssl-perl-1.0.0-25.el6_3.3.s390x.rpm openssl-static-1.0.0-25.el6_3.3.s390x.rpm x86_64: openssl-debuginfo-1.0.0-25.el6_3.3.x86_64.rpm openssl-perl-1.0.0-25.el6_3.3.x86_64.rpm openssl-static-1.0.0-25.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: openssl-1.0.0-27.el6_4.4.src.rpm i386: openssl-debuginfo-1.0.0-27.el6_4.4.i686.rpm openssl-perl-1.0.0-27.el6_4.4.i686.rpm openssl-static-1.0.0-27.el6_4.4.i686.rpm ppc64: openssl-debuginfo-1.0.0-27.el6_4.4.ppc64.rpm openssl-perl-1.0.0-27.el6_4.4.ppc64.rpm openssl-static-1.0.0-27.el6_4.4.ppc64.rpm s390x: openssl-debuginfo-1.0.0-27.el6_4.4.s390x.rpm openssl-perl-1.0.0-27.el6_4.4.s390x.rpm openssl-static-1.0.0-27.el6_4.4.s390x.rpm x86_64: openssl-debuginfo-1.0.0-27.el6_4.4.x86_64.rpm openssl-perl-1.0.0-27.el6_4.4.x86_64.rpm openssl-static-1.0.0-27.el6_4.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0224.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/articles/904433 https://access.redhat.com/site/solutions/905793 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTkGEBXlSAg2UNWIIRAhH7AKCBIVa173E+oLwgHhXT0Gs0j+8jdgCgn6OR LaIZIdJViXsCzRKV3pFo2m0= =O0ah -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS