[El-errata] New openssl updates available via Ksplice (ELSA-2016-0301)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue Mar 1 17:48:17 PST 2016
Synopsis: ELSA-2016-0301 can now be patched using Ksplice
CVEs: CVE-2015-3197 CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0800
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2016-0301.
INSTALLING THE UPDATES
We recommend that all users of Ksplice on OL 6 install these updates.
You can install these updates by running:
# ksplice -y user upgrade
32-bit applications should be restarted after upgrading the on-disk
openssl RPMs and statically linked applications using
openssl should be rebuilt to include these fixes.
DESCRIPTION
* CVE-2015-3197: SSLv2 cipher downgrade.
A flaw in the cipher negotiation for SSLv2 connections could allow an
attacker to force selection of a cipher that had previously been
disabled on the server, leaving the connection vulnerable to a
man-in-the-middle attack.
* CVE-2016-0800: Cross-protocol attack on TLS with SSLv2 (DROWN).
A padding oracle flaw was found in the SSLv2 protocol, allowing a remote
attacker to use this flaw to decrypt session data secured with a newer
SSL/TLS protocol.
This Ksplice update disables server-side SSLv2 for all processes.
Legacy applications using SSLv2 should either exclude those processes
from Ksplice updates by adding them to the /etc/ksplice/blacklist.d
configuration files, or restart using an updated on-disk version of
OpenSSL and clear the SSL_OP_NO_SSLv2 with either
SSL_CTX_clear_options() or SSL_clear_options() as appropriate.
* CVE-2016-0702: RSA key disclosure on Sandy Bridge CPU's (CacheBleed).
Non-constant time operations in the modular exponentiation algorithms
could result in a timing side-channel attack when an attacker could run
code on the same system using the flaw to recover RSA keys.
* CVE-2016-0705: Denial-of-service in DSA key parsing.
A flaw in DSA private key parsing could allow an attacker to cause a
crash in an application that accepted DSA keys from untrusted sources.
* CVE-2016-0797: Denial-of-service in big number printing.
A flaw in the BN_hex2bn/BN_dec2bn implementations could result in a NULL
pointer dereference or heap corruption when printing a large integer.
An attacker that could trigger printing of untrusted data could use this
flaw to crash the application.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata
mailing list