Lucene search
This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2010-0978.NASLHistoryDec 14, 2010 - 12:00 a.m.
RHEL 5 : openssl (RHSA-2010:0978)
2010-12-1400:00:00
This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270)
Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2010:0978. The text
# itself is copyright (C) Red Hat, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(51156);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2008-7270", "CVE-2010-4180");
script_bugtraq_id(45164, 45254);
script_xref(name:"RHSA", value:"2010:0978");
script_name(english:"RHEL 5 : openssl (RHSA-2010:0978)");
script_summary(english:"Checks the rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Red Hat host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"Updated openssl packages that fix two security issues are now
available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server
code. A remote attacker could possibly use this flaw to change the
ciphersuite associated with a cached session stored on the server, if
the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,
possibly forcing the client to use a weaker ciphersuite after resuming
the session. (CVE-2010-4180, CVE-2008-7270)
Note: With this update, setting the
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this
bug workaround can no longer be enabled.
All OpenSSL users should upgrade to these updated packages, which
contain a backported patch to resolve these issues. For the update to
take effect, all services linked to the OpenSSL library must be
restarted, or the system rebooted."
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/security/cve/cve-2008-7270"
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/security/cve/cve-2010-4180"
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/errata/RHSA-2010:0978"
);
script_set_attribute(
attribute:"solution",
value:
"Update the affected openssl, openssl-devel and / or openssl-perl
packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl-perl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/06");
script_set_attribute(attribute:"patch_publication_date", value:"2010/12/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/14");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Red Hat Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo))
{
rhsa = "RHSA-2010:0978";
yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
if (!empty_or_null(yum_report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : yum_report
);
exit(0);
}
else
{
audit_message = "affected by Red Hat security advisory " + rhsa;
audit(AUDIT_OS_NOT, audit_message);
}
}
else
{
flag = 0;
if (rpm_check(release:"RHEL5", reference:"openssl-0.9.8e-12.el5_5.7")) flag++;
if (rpm_check(release:"RHEL5", reference:"openssl-devel-0.9.8e-12.el5_5.7")) flag++;
if (rpm_check(release:"RHEL5", cpu:"i386", reference:"openssl-perl-0.9.8e-12.el5_5.7")) flag++;
if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"openssl-perl-0.9.8e-12.el5_5.7")) flag++;
if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"openssl-perl-0.9.8e-12.el5_5.7")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get() + redhat_report_package_caveat()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl / openssl-devel / openssl-perl");
}
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | openssl | p-cpe:/a:redhat:enterprise_linux:openssl |
| redhat | enterprise_linux | openssl-devel | p-cpe:/a:redhat:enterprise_linux:openssl-devel |
| redhat | enterprise_linux | openssl-perl | p-cpe:/a:redhat:enterprise_linux:openssl-perl |
| redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
Related
prion
prion
Session fixation
2010-12-06 22:30:00
Session fixation
2010-12-06 21:05:00
openvas
openvas
RedHat Update for openssl RHSA-2010:0978-01
2010-12-28 00:00:00
CentOS Update for openssl CESA-2010:0978 centos5 i386
2011-08-09 00:00:00
RedHat Update for openssl RHSA-2010:0978-01
2010-12-28 00:00:00
centos
centos
openssl security update
2010-12-14 01:19:08
openssl security update
2011-01-27 09:11:13
debiancve
debiancve
CVE-2008-7270
2010-12-06 22:30:00
CVE-2010-4180
2010-12-06 21:05:00
f5
f5
K12853 : OpenSSL vulnerability CVE-2008-7270
2013-09-04 00:00:00
SOL12853 - OpenSSL vulnerability CVE-2008-7270
2011-05-24 00:00:00
SOL12543 - OpenSSL vulnerability CVE-2010-4180
2011-01-26 00:00:00
nessus
nessus
CentOS 5 : openssl (CESA-2010:0978)
2010-12-14 00:00:00
Oracle Linux 5 : openssl (ELSA-2010-0978)
2013-07-12 00:00:00
ubuntu
ubuntu
OpenSSL vulnerabilities
2010-12-08 00:00:00
redhat
redhat
(RHSA-2010:0978) Moderate: openssl security update
2010-12-13 00:00:00
(RHSA-2010:0977) Moderate: openssl security update
2010-12-13 00:00:00
(RHSA-2010:0979) Moderate: openssl security update
2010-12-13 00:00:00
oraclelinux
oraclelinux
openssl security update
2010-12-13 00:00:00
openssl security update
2010-12-13 00:00:00
openssl security update
2011-02-10 00:00:00
securityvulns
securityvulns
[USN-1029-1] OpenSSL vulnerabilities
2010-12-09 00:00:00
OpenSSL protection level downgrade
2010-12-09 00:00:00
ubuntucve
ubuntucve
CVE-2008-7270
2010-12-06 00:00:00
CVE-2010-4180
2010-12-06 00:00:00
cve
cve
CVE-2008-7270
2010-12-06 22:30:00
CVE-2010-4180
2010-12-06 21:05:00
veracode
veracode
Insecure TLS Configuration
2020-04-10 00:56:25
Insecure TLS Configuration
2020-04-10 00:56:26
openssl
openssl
Vulnerability in OpenSSL CVE-2010-4180
2010-12-02 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl10 version 1.0.0c-alt1
2011-02-01 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.0c-alt1
2011-02-01 00:00:00
Security fix for the ALT Linux 7 package openssl10 version 1.0.0c-alt1
2011-02-01 00:00:00
slackware
slackware
[slackware-security] openssl
2010-12-07 07:14:58
osv
osv
openssl - protocol design flaw
2011-01-06 00:00:00
nss - protocol design flaw
2011-01-06 00:00:00
fedora
fedora
[SECURITY] Fedora 14 Update: openssl-1.0.0c-1.fc14
2010-12-10 20:26:33
[SECURITY] Fedora 14 Update: openssl-1.0.0d-1.fc14
2011-02-14 20:28:21
[SECURITY] Fedora 13 Update: openssl-1.0.0c-1.fc13
2010-12-17 08:35:37
debian
debian
[SECURITY] [DSA-2141-1] New openssl packages fix protocol design flaw
2011-01-05 23:18:09
[SECURITY] [DSA-2141-1] New openssl packages fix protocol design flaw
2011-01-05 23:18:09
suse
suse
compat-openssl097g (important)
2011-07-27 16:08:25
Security update for compat-openssl097g (important)
2011-07-27 17:08:16
cert
cert
ibm
ibm
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2011-10-09 00:00:00
lenovo
lenovo
Intelยฎ PROSet/Wireless WiFi Software Vulnerabilities - Lenovo Support US
2018-11-13 17:10:51
Intelยฎ PROSet/Wireless WiFi Software Vulnerabilities - US
2018-11-13 17:10:51
vmware
vmware
VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
2011-10-27 00:00:00
VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
2011-10-27 00:00:00
VMware vSphere and vCOps updates to third party libraries
2012-08-30 00:00:00
Related for REDHAT-RHSA-2010-0978.NASL