- Issued:
- 2011-12-06
- Updated:
- 2011-12-06
RHBA-2011:1730 - openssl bug fix and enhancement update
Synopsis
openssl bug fix and enhancement update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated openssl packages that fix two bugs and add several enhancements are now available for Red Hat Enterprise Linux 6.
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
This update fixes the following bugs:
-
Prior to this update, repeatedly loading and unloading the CHIL engine could cause the calling program to terminate unexpectedly with a segmentation fault. This happened, because a function pointer was not properly cleared after the engine was unloaded. With this update, the underlying source code has been corrected to clear the function pointer when the engine is unloaded, and the calling program no longer crashes in this scenario. (BZ#693863)
-
Due to missing variable initialization, the CHIL engine could occasionally fail to load. This update corrects the underlying source code to properly initialize this variable so that the CHIL engine is no longer prevented from loading. (BZ#740188)
In addition, this update adds the following enhancements:
-
The performance of the AES encryption algorithm on CPUs with the AES-NI instruction set, as well as SHA-1 and RC4 algorithms on 32-bit and 64-bit x86 architectures has been significantly improved. (BZ#696389)
-
For testing purposes, the OpenSSL source RPM package can now be built without additional patches. (BZ#708511)
-
Partial RELRO is now enabled during the build of the OpenSSL libraries to improve security vulnerability properties of applications that use these libraries. (BZ#723994)
-
Users can now explicitly disable the built-in AES-NI (Advanced Encryption Standard New Instruction) CPU instruction acceleration support by setting the OPENSSL_DISABLE_AES_NI environment variable to any value. (BZ#726081)
-
Prior to this update, there was no direct KAT (known answer test) self-test for the SHA-2 algorithms in FIPS mode; these algorithms were self-tested only during the HMAC self-tests. This update provides an implementation of the direct KAT self-test for SHA-2 algorithms. (BZ#740872)
-
Previously, the manual and help pages for various subcommands of the openssl utility did not specify all digest algorithms. This update adapts these pages and users are now instructed to run the "openssl dgst -h" command, which lists all available digests. (BZ#693858)
All users of openssl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- openssl-debuginfo-1.0.0-20.el6.x86_64.rpm
- openssl-devel-1.0.0-20.el6.ppc64.rpm
- openssl-perl-1.0.0-20.el6.i686.rpm
- openssl-1.0.0-20.el6.ppc64.rpm
- openssl-1.0.0-20.el6.ppc.rpm
- openssl-devel-1.0.0-20.el6.s390.rpm
- openssl-1.0.0-20.el6.i686.rpm
- openssl-perl-1.0.0-20.el6.x86_64.rpm
- openssl-devel-1.0.0-20.el6.i686.rpm
- openssl-1.0.0-20.el6.x86_64.rpm
- openssl-static-1.0.0-20.el6.i686.rpm
- openssl-debuginfo-1.0.0-20.el6.i686.rpm
- openssl-debuginfo-1.0.0-20.el6.ppc.rpm
- openssl-devel-1.0.0-20.el6.x86_64.rpm
- openssl-1.0.0-20.el6.src.rpm
- openssl-perl-1.0.0-20.el6.ppc64.rpm
- openssl-static-1.0.0-20.el6.ppc64.rpm
- openssl-debuginfo-1.0.0-20.el6.s390.rpm
- openssl-perl-1.0.0-20.el6.s390x.rpm
- openssl-static-1.0.0-20.el6.x86_64.rpm
- openssl-static-1.0.0-20.el6.s390x.rpm
- openssl-1.0.0-20.el6.s390.rpm
- openssl-1.0.0-20.el6.s390x.rpm
- openssl-debuginfo-1.0.0-20.el6.s390x.rpm
- openssl-devel-1.0.0-20.el6.ppc.rpm
- openssl-debuginfo-1.0.0-20.el6.ppc64.rpm
- openssl-devel-1.0.0-20.el6.s390x.rpm
Fixes
- This content is not included.BZ - 693858
- This content is not included.BZ - 693863
- This content is not included.BZ - 708511
- This content is not included.BZ - 723994
- This content is not included.BZ - 740188
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.