CentOS ProjectCESA-2005:476openssl, openssl096b security update
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
32.3%
CentOS Errata and Security Advisory CESA-2005:476
OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
Colin Percival reported a cache timing attack that could allow a malicious
local user to gain portions of cryptographic keys. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2005-0109 to the issue. The OpenSSL library has been patched to add a
new fixed-window mod_exp implementation as default for RSA, DSA, and DH
private-key operations. This patch is designed to mitigate cache timing
and potentially related attacks.
A flaw was found in the way the der_chop script creates temporary files. It
is possible that a malicious local user could cause der_chop to overwrite
files (CAN-2004-0975). The der_chop script was deprecated and has been
removed from these updated packages. Red Hat Enterprise Linux 4 did not
ship der_chop and is therefore not vulnerable to this issue.
Users are advised to update to these erratum packages which contain patches
to correct these issues.
Please note: After installing this update, users are advised to either
restart all services that use OpenSSL or restart their system.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2005-June/073935.html
https://lists.centos.org/pipermail/centos-announce/2005-June/073936.html
https://lists.centos.org/pipermail/centos-announce/2005-June/073937.html
https://lists.centos.org/pipermail/centos-announce/2005-June/073938.html
https://lists.centos.org/pipermail/centos-announce/2005-June/073944.html
https://lists.centos.org/pipermail/centos-announce/2005-June/073947.html
https://lists.centos.org/pipermail/centos-announce/2005-June/073949.html
Affected packages:
openssl
openssl-devel
openssl-perl
openssl096b
Upstream details at:
https://access.redhat.com/errata/RHSA-2005:476
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| CentOS | 4 | i386 | openssl | < 0.9.7a-43.2 | openssl-0.9.7a-43.2.i386.rpm |
| CentOS | 4 | i586 | openssl | < 0.9.7a-43.2 | openssl-0.9.7a-43.2.i586.rpm |
| CentOS | 4 | i686 | openssl | < 0.9.7a-43.2 | openssl-0.9.7a-43.2.i686.rpm |
| CentOS | 4 | i386 | openssl-devel | < 0.9.7a-43.2 | openssl-devel-0.9.7a-43.2.i386.rpm |
| CentOS | 4 | i386 | openssl-perl | < 0.9.7a-43.2 | openssl-perl-0.9.7a-43.2.i386.rpm |
| CentOS | 4 | i386 | openssl096b | < 0.9.6b-22.3 | openssl096b-0.9.6b-22.3.i386.rpm |
| CentOS | 4 | i686 | openssl | < 0.9.7a-43.2 | openssl-0.9.7a-43.2.i686.rpm |
| CentOS | 4 | x86_64 | openssl | < 0.9.7a-43.2 | openssl-0.9.7a-43.2.x86_64.rpm |
| CentOS | 4 | x86_64 | openssl-devel | < 0.9.7a-43.2 | openssl-devel-0.9.7a-43.2.x86_64.rpm |
| CentOS | 4 | x86_64 | openssl-perl | < 0.9.7a-43.2 | openssl-perl-0.9.7a-43.2.x86_64.rpm |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
32.3%