ALAS-2013-171


Amazon Linux AMI Security Advisory: ALAS-2013-171
Advisory Release Date: 2014-09-15 22:41 Pacific
Severity: Medium

Issue Overview:

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169 )

A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. (CVE-2013-0166 )

It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. (CVE-2012-4929 )

Note: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.


Affected Packages:

openssl


Issue Correction:
Run yum update openssl to update your system.

New Packages:
i686:
    openssl-devel-1.0.0k-1.48.amzn1.i686
    openssl-static-1.0.0k-1.48.amzn1.i686
    openssl-1.0.0k-1.48.amzn1.i686
    openssl-debuginfo-1.0.0k-1.48.amzn1.i686
    openssl-perl-1.0.0k-1.48.amzn1.i686

src:
    openssl-1.0.0k-1.48.amzn1.src

x86_64:
    openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64
    openssl-1.0.0k-1.48.amzn1.x86_64
    openssl-devel-1.0.0k-1.48.amzn1.x86_64
    openssl-perl-1.0.0k-1.48.amzn1.x86_64
    openssl-static-1.0.0k-1.48.amzn1.x86_64