- Issued:
- 2015-07-22
- Updated:
- 2015-07-22
RHBA-2015:1398 - openssl bug fix and enhancement update
Synopsis
openssl bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated openssl packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
This update fixes the following bugs:
-
Previously, the ciphers(1) manual page did not describe the following Elliptic Curve Cryptography (ECC) cipher suite groups: Elliptic Curve Diffie–Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA), or TLS version 1.2 (TLSv1.2) specific features. This update adds the missing description of the ECDH and ECDSA cipher groups and TLSv1.2 features to ciphers(1), and the documentation is now complete. (BZ#1119191)
-
The server-side renegotiation support did previously not work as expected under certain circumstances. A PostgreSQL failure of database dumps through TLS connection could occur when the size of the dumped data was larger than the value defined in the ssl_renegotiation_limit setting. The regression that caused this bug has been fixed, and the PostgreSQL database dumps through TLS connection no longer fail in the described situation. (BZ#1234487)
In addition, this update adds the following enhancement:
- This update adds the "-keytab" option to the "openssl s_server" command and the "-krb5svc" option to the "openssl s_server" and "openssl s_client" commands. The "-keytab" option allows the user to specify a custom keytab location; if the user does not add "-keytab", the openssl utility assumes the default keytab location. The "-krb5svc" option enables selecting a service other than the "host" service; this allows unprivileged users without keys to the host principal to use "openssl s_server" and "open s_client" with Kerberos. (BZ#961965)
Users of openssl are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- openssl-perl-1.0.1e-42.el6.ppc64.rpm
- openssl-1.0.1e-42.el6.i686.rpm
- openssl-debuginfo-1.0.1e-42.el6.x86_64.rpm
- openssl-debuginfo-1.0.1e-42.el6.i686.rpm
- openssl-1.0.1e-42.el6.ppc.rpm
- openssl-devel-1.0.1e-42.el6.s390.rpm
- openssl-devel-1.0.1e-42.el6.x86_64.rpm
- openssl-perl-1.0.1e-42.el6.x86_64.rpm
- openssl-perl-1.0.1e-42.el6.i686.rpm
- openssl-1.0.1e-42.el6.x86_64.rpm
- openssl-devel-1.0.1e-42.el6.ppc.rpm
- openssl-devel-1.0.1e-42.el6.ppc64.rpm
- openssl-1.0.1e-42.el6.s390.rpm
- openssl-static-1.0.1e-42.el6.i686.rpm
- openssl-static-1.0.1e-42.el6.x86_64.rpm
- openssl-static-1.0.1e-42.el6.ppc64.rpm
- openssl-debuginfo-1.0.1e-42.el6.s390x.rpm
- openssl-debuginfo-1.0.1e-42.el6.ppc64.rpm
- openssl-devel-1.0.1e-42.el6.s390x.rpm
- openssl-perl-1.0.1e-42.el6.s390x.rpm
- openssl-1.0.1e-42.el6.ppc64.rpm
- openssl-debuginfo-1.0.1e-42.el6.s390.rpm
- openssl-debuginfo-1.0.1e-42.el6.ppc.rpm
- openssl-static-1.0.1e-42.el6.s390x.rpm
- openssl-1.0.1e-42.el6.s390x.rpm
- openssl-1.0.1e-42.el6.src.rpm
- openssl-devel-1.0.1e-42.el6.i686.rpm
Fixes
- This content is not included.BZ - 1119191
- This content is not included.BZ - 1150032
- This content is not included.BZ - 1226209
- This content is not included.BZ - 1234487
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.