ALAS-2016-749


Amazon Linux AMI Security Advisory: ALAS-2016-749
Advisory Release Date: 2016-09-26 12:00 Pacific
Severity: Important
References: CVE-2016-6304 

Issue Overview:

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.

The OpenSSL Security Advisory [22 Sep 2016] refers to additional CVEs. CVE-2016-6305 does not affect OpenSSL 1.0.1. The remaining CVEs listed will be fixed in a later update.

The OpenSSL Security Advisory [26 Sep 2016] refers to two additional CVEs which do not affect OpenSSL 1.0.1.

(Updated 2016-09-26: Included a reference to the 26 Sep 2016 upstream advisory.)


Affected Packages:

openssl


Issue Correction:
Run yum update openssl to update your system.

New Packages:
i686:
    openssl-devel-1.0.1k-15.95.amzn1.i686
    openssl-debuginfo-1.0.1k-15.95.amzn1.i686
    openssl-perl-1.0.1k-15.95.amzn1.i686
    openssl-static-1.0.1k-15.95.amzn1.i686
    openssl-1.0.1k-15.95.amzn1.i686

src:
    openssl-1.0.1k-15.95.amzn1.src

x86_64:
    openssl-static-1.0.1k-15.95.amzn1.x86_64
    openssl-perl-1.0.1k-15.95.amzn1.x86_64
    openssl-debuginfo-1.0.1k-15.95.amzn1.x86_64
    openssl-devel-1.0.1k-15.95.amzn1.x86_64
    openssl-1.0.1k-15.95.amzn1.x86_64