5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
0.001 Low
EPSS
Percentile
31.6%
CentOS Errata and Security Advisory CESA-2005:476-01
OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
Colin Percival reported a cache timing attack that could allow a malicious
local user to gain portions of cryptographic keys. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2005-0109 to the issue. The OpenSSL library has been patched to add a
new fixed-window mod_exp implementation as default for RSA, DSA, and DH
private-key operations. This patch is designed to mitigate cache timing
and potentially related attacks.
A flaw was found in the way the der_chop script creates temporary files. It
is possible that a malicious local user could cause der_chop to overwrite
files (CAN-2004-0975). The der_chop script was deprecated and has been
removed from these updated packages. Red Hat Enterprise Linux 4 did not
ship der_chop and is therefore not vulnerable to this issue.
Users are advised to update to these erratum packages which contain patches
to correct these issues.
Please note: After installing this update, users are advised to either
restart all services that use OpenSSL or restart their system.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2005-June/073941.html
Affected packages:
openssl
openssl-devel
openssl-perl
openssl095a
openssl096
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 2 | i386 | openssl095a | <Â 0.9.5a-25 | openssl095a-0.9.5a-25.i386.rpm |
CentOS | 2 | i386 | openssl096 | <Â 0.9.6-25.8 | openssl096-0.9.6-25.8.i386.rpm |
CentOS | 2 | i386 | openssl | <Â 0.9.6b-39 | openssl-0.9.6b-39.i386.rpm |
CentOS | 2 | i386 | openssl-devel | <Â 0.9.6b-39 | openssl-devel-0.9.6b-39.i386.rpm |
CentOS | 2 | i386 | openssl-perl | <Â 0.9.6b-39 | openssl-perl-0.9.6b-39.i386.rpm |
CentOS | 2 | i686 | openssl | <Â 0.9.6b-39 | openssl-0.9.6b-39.i686.rpm |
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
0.001 Low
EPSS
Percentile
31.6%