Medium: openssl

Issue Overview:

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169)

A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. (CVE-2013-0166)

It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. (CVE-2012-4929)

Note: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.

Affected Packages:

openssl

Issue Correction:
Run yum update openssl to update your system.

New Packages:

i686:  
    openssl-devel-1.0.0k-1.48.amzn1.i686  
    openssl-static-1.0.0k-1.48.amzn1.i686  
    openssl-1.0.0k-1.48.amzn1.i686  
    openssl-debuginfo-1.0.0k-1.48.amzn1.i686  
    openssl-perl-1.0.0k-1.48.amzn1.i686  
  
src:  
    openssl-1.0.0k-1.48.amzn1.src  
  
x86_64:  
    openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64  
    openssl-1.0.0k-1.48.amzn1.x86_64  
    openssl-devel-1.0.0k-1.48.amzn1.x86_64  
    openssl-perl-1.0.0k-1.48.amzn1.x86_64  
    openssl-static-1.0.0k-1.48.amzn1.x86_64  

Additional References

Red Hat: CVE-2012-4929, CVE-2013-0166, CVE-2013-0169

Mitre: CVE-2012-4929, CVE-2013-0166, CVE-2013-0169