{"f5": [{"lastseen": "2017-10-12T02:11:06", "bulletinFamily": "software", "description": "**Note**: For information about signing up to receive security notice updates from F5, refer to [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>).\n\n**Note**: F5 has not evaluated specific versions that are not listed in this article for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n**F5 products and versions that have been evaluated for this Security Advisory**\n\nProduct | Affected | Not Affected \n---|---|--- \nBIG-IP LTM | None | *9.0.0 - 9.6.1 \n*10.0.0 - 10.2.4 \n11.x \n \nBIG-IP GTM | None | *9.2.2 - 9.4.8 \n*10.0.0 - 10.2.4 \n11.x \nBIG-IP ASM | None | *9.2.0 - 9.4.8 \n*10.0.0 - 10.2.4 \n11.x \n \nBIG-IP Link Controller | None | *9.2.2 - 9.4.8 \n*10.0.0 - 10.2.4 \n11.x \nBIG-IP WebAccelerator | None | *9.4.0 - 9.4.8 \n*10.0.0 - 10.2.4 \n11.x \nBIG-IP PSM | None | *9.4.5 - 9.4.8 \n*10.0.0 - 10.2.4 \n11.x \n \nBIG-IP WAN Optimization | None | *10.0.0 - 10.2.4 \n11.x \nBIG-IP APM | None | *10.1.0 - 10.2.4 \n11.x \nBIG-IP Edge Gateway | None | *10.1.0 - 10.2.4 \n11.x \nBIG-IP Analytics | None | 11.x \nBIG-IP AFM | None | 11.x \nBIG-IP PEM \n| None | 11.x \nBIG-IP AAM | None | 11.x \nFirePass | None | *5.0.0 - 5.5.2 \n*6.0.0 - 6.1.0 \n*7.0.0 \nEnterprise Manager | None | *1.0.0 - 1.8.0 \n*2.0.0 - 2.2.0 \n3.x \nARX | None | *3.2.1 - 3.2.3 \n*4.0.1 - 4.1.3 \n*5.0.0 - 5.3.1 \n*6.0.0 - 6.3.0 \n \n \n* F5 Product Development has determined that these specific product versions are not vulnerable to the OpenSSL session cache issue indicated by CVE-2008-7270. While these product versions may allow a client to change the ciphersuite on a subsequent connection, the system allows the client to change to only a cipher that the server has enabled. F5 Product Development has declared that this is intended behavior and that the behavior does not introduce a security implication.\n\nHowever, these product versions use a version of OpenSSL that is affected by this vulnerability when the OpenSSL version is compiled and configured differently than the way F5 compiles and configures it. As a result, Nessus or other vulnerability scanners may incorrectly report these listed product versions as vulnerable to CVE-2008-7270. Nessus plugin 51892 looks beyond the banner string and actually verifies the behavior. While the plugin shows that the client can change the cipher, the client cannot change it to a disallowed cipher.\n\n**Vulnerability description**\n\nOpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.\n\nInformation about this advisory is available at the following location:\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270>\n", "modified": "2016-01-09T02:25:00", "published": "2011-05-25T00:52:00", "href": "https://support.f5.com/csp/article/K12853", "id": "F5:K12853", "title": "OpenSSL vulnerability CVE-2008-7270", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-26T17:22:52", "bulletinFamily": "software", "description": "* F5 Product Development has determined that these specific product versions are not vulnerable to the OpenSSL session cache issue indicated by CVE-2008-7270. While these product versions may allow a client to change the ciphersuite on a subsequent connection, the system allows the client to change to only a cipher that the server has enabled. F5 Product Development has declared that this is intended behavior and that the behavior does not introduce a security implication.\n\nHowever, these product versions use a version of OpenSSL that is affected by this vulnerability when the OpenSSL version is compiled and configured differently than the way F5 compiles and configures it. As a result, Nessus or other vulnerability scanners may incorrectly report these listed product versions as vulnerable to CVE-2008-7270. Nessus plugin 51892 looks beyond the banner string and actually verifies the behavior. While the plugin shows that the client can change the cipher, the client cannot change it to a disallowed cipher.\n\n**Vulnerability description**\n\nOpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.\n\nInformation about this advisory is available at the following location:\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270>\n", "modified": "2013-09-04T00:00:00", "published": "2011-05-24T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12853.html", "id": "SOL12853", "title": "SOL12853 - OpenSSL vulnerability CVE-2008-7270", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-06-08T08:16:46", "bulletinFamily": "software", "description": "", "modified": "2017-03-14T22:07:00", "published": "2011-01-26T22:40:00", "id": "F5:K12543", "href": "https://support.f5.com/csp/article/K12543", "title": "OpenSSL vulnerability CVE-2010-4180", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-26T17:23:31", "bulletinFamily": "software", "description": "Vulnerability description\n\nOpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.\n\nInformation about this advisory is available at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180>\n", "modified": "2016-07-25T00:00:00", "published": "2011-01-26T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/12000/500/sol12543.html", "id": "SOL12543", "title": "SOL12543 - OpenSSL vulnerability CVE-2010-4180", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-26T17:23:27", "bulletinFamily": "software", "description": "Recommended action\n\nYou can eliminate this vulnerability by running a version listed in the **Versions known to be not vulnerable** column in the previous table. If the **Versions known to be not vulnerable** column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists. \n\n\nMitigating this vulnerability\n\nTo mitigate this vulnerability, you should consider the following recommendations:\n\n * Consider denying access to the Configuration utility and using only the command line and **tmsh **utility until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility over only a secure network.\n * If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles: \n \n\n * SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)\n * SOL13171: Configuring the cipher strength for SSL profiles (11.x)\n * SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n", "modified": "2014-07-14T00:00:00", "published": "2014-07-14T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/400/sol15404.html", "id": "SOL15404", "title": "SOL15404 - OpenSSL vulnerability CVE-2009-3245", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2016-09-03T11:55:48", "bulletinFamily": "NVD", "description": "OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.", "modified": "2012-04-05T23:07:51", "published": "2010-12-06T17:30:31", "id": "CVE-2008-7270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7270", "type": "cve", "title": "CVE-2008-7270", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-19T13:37:09", "bulletinFamily": "NVD", "description": "OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.", "modified": "2017-09-18T21:31:41", "published": "2010-12-06T16:05:48", "id": "CVE-2010-4180", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180", "title": "CVE-2010-4180", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-19T13:36:38", "bulletinFamily": "NVD", "description": "OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.", "modified": "2017-09-18T21:29:31", "published": "2010-03-05T14:30:00", "id": "CVE-2009-3245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3245", "title": "CVE-2009-3245", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:11:41", "bulletinFamily": "scanner", "description": "Updated openssl packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain backported patches to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.", "modified": "2018-11-10T00:00:00", "published": "2011-01-28T00:00:00", "id": "CENTOS_RHSA-2010-0977.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51781", "title": "CentOS 4 : openssl (CESA-2010:0977)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0977 and \n# CentOS Errata and Security Advisory 2010:0977 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51781);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:29\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_bugtraq_id(38562, 45164, 45254);\n script_xref(name:\"RHSA\", value:\"2010:0977\");\n\n script_name(english:\"CentOS 4 : openssl (CESA-2010:0977)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssl packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain backported patches to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-January/017235.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c1a1a457\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-January/017236.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f53d31c3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"openssl-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"openssl-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"openssl-devel-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"openssl-devel-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"openssl-perl-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"openssl-perl-0.9.7a-43.17.el4_8.6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:16:40", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2010:0977 :\n\nUpdated openssl packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain backported patches to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.", "modified": "2018-07-18T00:00:00", "published": "2013-07-12T00:00:00", "id": "ORACLELINUX_ELSA-2010-0977.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68163", "title": "Oracle Linux 4 : openssl (ELSA-2010-0977)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2010:0977 and \n# Oracle Linux Security Advisory ELSA-2010-0977 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68163);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_bugtraq_id(38562, 45164, 45254);\n script_xref(name:\"RHSA\", value:\"2010:0977\");\n\n script_name(english:\"Oracle Linux 4 : openssl (ELSA-2010-0977)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2010:0977 :\n\nUpdated openssl packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain backported patches to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2010-December/001769.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"openssl-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"openssl-devel-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"openssl-perl-0.9.7a-43.17.el4_8.6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-devel / openssl-perl\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:14:23", "bulletinFamily": "scanner", "description": "A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245 - SL4 Only)\n\nFor the update to take effect, all services linked to the OpenSSL\nlibrary must be restarted, or the system rebooted.", "modified": "2019-01-02T00:00:00", "published": "2012-08-01T00:00:00", "id": "SL_20101213_OPENSSL_ON_SL4_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=60921", "title": "Scientific Linux Security Update : openssl on SL4.x, SL5.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60921);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/01/02 10:36:43\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n\n script_name(english:\"Scientific Linux Security Update : openssl on SL4.x, SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245 - SL4 Only)\n\nFor the update to take effect, all services linked to the OpenSSL\nlibrary must be restarted, or the system rebooted.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1012&L=scientific-linux-errata&T=0&P=1183\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1b28b233\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected openssl, openssl-devel and / or openssl-perl\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL4\", reference:\"openssl-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"openssl-devel-0.9.7a-43.17.el4_8.6\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"openssl-perl-0.9.7a-43.17.el4_8.6\")) flag++;\n\nif (rpm_check(release:\"SL5\", reference:\"openssl-0.9.8e-12.el5_5.7\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssl-devel-0.9.8e-12.el5_5.7\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssl-perl-0.9.8e-12.el5_5.7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:11:33", "bulletinFamily": "scanner", "description": "Updated openssl packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain backported patches to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.", "modified": "2018-11-28T00:00:00", "published": "2010-12-14T00:00:00", "id": "REDHAT-RHSA-2010-0977.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51155", "title": "RHEL 4 : openssl (RHSA-2010:0977)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0977. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51155);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2018/11/28 11:42:05\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_bugtraq_id(38562, 45164, 45254);\n script_xref(name:\"RHSA\", value:\"2010:0977\");\n\n script_name(english:\"RHEL 4 : openssl (RHSA-2010:0977)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssl packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could possibly crash an\napplication using the OpenSSL library and its UBSEC hardware engine\nsupport. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain backported patches to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-7270\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3245\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-4180\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2010:0977\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected openssl, openssl-devel and / or openssl-perl\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0977\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", reference:\"openssl-0.9.7a-43.17.el4_8.6\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"openssl-devel-0.9.7a-43.17.el4_8.6\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"openssl-perl-0.9.7a-43.17.el4_8.6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-devel / openssl-perl\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:16:40", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2010:0978 :\n\nUpdated openssl packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.", "modified": "2018-07-18T00:00:00", "published": "2013-07-12T00:00:00", "id": "ORACLELINUX_ELSA-2010-0978.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68164", "title": "Oracle Linux 5 : openssl (ELSA-2010-0978)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2010:0978 and \n# Oracle Linux Security Advisory ELSA-2010-0978 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68164);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_bugtraq_id(45164, 45254);\n script_xref(name:\"RHSA\", value:\"2010:0978\");\n\n script_name(english:\"Oracle Linux 5 : openssl (ELSA-2010-0978)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2010:0978 :\n\nUpdated openssl packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2010-December/001771.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"openssl-0.9.8e-12.el5_5.7\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"openssl-devel-0.9.8e-12.el5_5.7\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"openssl-perl-0.9.8e-12.el5_5.7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-devel / openssl-perl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-01-16T20:11:31", "bulletinFamily": "scanner", "description": "It was discovered that an old bug workaround in the SSL/TLS server\ncode allowed an attacker to modify the stored session cache\nciphersuite. This could possibly allow an attacker to downgrade the\nciphersuite to a weaker one on subsequent connections. (CVE-2010-4180)\n\nIt was discovered that an old bug workaround in the SSL/TLS server\ncode allowed an attacker to modify the stored session cache\nciphersuite. An attacker could possibly take advantage of this to\nforce the use of a disabled cipher. This vulnerability only affects\nthe versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and\nUbuntu 9.10. (CVE-2008-7270).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-01T00:00:00", "published": "2010-12-08T00:00:00", "id": "UBUNTU_USN-1029-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51076", "title": "Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openssl vulnerabilities (USN-1029-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1029-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51076);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/12/01 13:19:06\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_bugtraq_id(45164);\n script_xref(name:\"USN\", value:\"1029-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openssl vulnerabilities (USN-1029-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that an old bug workaround in the SSL/TLS server\ncode allowed an attacker to modify the stored session cache\nciphersuite. This could possibly allow an attacker to downgrade the\nciphersuite to a weaker one on subsequent connections. (CVE-2010-4180)\n\nIt was discovered that an old bug workaround in the SSL/TLS server\ncode allowed an attacker to modify the stored session cache\nciphersuite. An attacker could possibly take advantage of this to\nforce the use of a disabled cipher. This vulnerability only affects\nthe versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and\nUbuntu 9.10. (CVE-2008-7270).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1029-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl0.9.8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl0.9.8-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssl-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2010-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|8\\.04|9\\.10|10\\.04|10\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 8.04 / 9.10 / 10.04 / 10.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libssl-dev\", pkgver:\"0.9.8a-7ubuntu0.14\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8a-7ubuntu0.14\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libssl0.9.8-dbg\", pkgver:\"0.9.8a-7ubuntu0.14\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"openssl\", pkgver:\"0.9.8a-7ubuntu0.14\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libssl-dev\", pkgver:\"0.9.8g-4ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8g-4ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libssl0.9.8-dbg\", pkgver:\"0.9.8g-4ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"openssl\", pkgver:\"0.9.8g-4ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"openssl-doc\", pkgver:\"0.9.8g-4ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"libssl-dev\", pkgver:\"0.9.8g-16ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8g-16ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"libssl0.9.8-dbg\", pkgver:\"0.9.8g-16ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"openssl\", pkgver:\"0.9.8g-16ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"openssl-doc\", pkgver:\"0.9.8g-16ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libssl-dev\", pkgver:\"0.9.8k-7ubuntu8.5\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8k-7ubuntu8.5\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libssl0.9.8-dbg\", pkgver:\"0.9.8k-7ubuntu8.5\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openssl\", pkgver:\"0.9.8k-7ubuntu8.5\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openssl-doc\", pkgver:\"0.9.8k-7ubuntu8.5\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"libssl-dev\", pkgver:\"0.9.8o-1ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8o-1ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"libssl0.9.8-dbg\", pkgver:\"0.9.8o-1ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"openssl\", pkgver:\"0.9.8o-1ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"openssl-doc\", pkgver:\"0.9.8o-1ubuntu4.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssl-dev / libssl0.9.8 / libssl0.9.8-dbg / openssl / openssl-doc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-01-16T20:11:32", "bulletinFamily": "scanner", "description": "Updated openssl packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.", "modified": "2018-11-10T00:00:00", "published": "2010-12-14T00:00:00", "id": "CENTOS_RHSA-2010-0978.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51146", "title": "CentOS 5 : openssl (CESA-2010:0978)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0978 and \n# CentOS Errata and Security Advisory 2010:0978 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51146);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:29\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_bugtraq_id(45164, 45254);\n script_xref(name:\"RHSA\", value:\"2010:0978\");\n\n script_name(english:\"CentOS 5 : openssl (CESA-2010:0978)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssl packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2010-December/017211.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?77fc2d74\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2010-December/017212.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?30c14cdb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"openssl-0.9.8e-12.el5_5.7\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"openssl-devel-0.9.8e-12.el5_5.7\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"openssl-perl-0.9.8e-12.el5_5.7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-01-16T20:11:33", "bulletinFamily": "scanner", "description": "Updated openssl packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.", "modified": "2018-11-28T00:00:00", "published": "2010-12-14T00:00:00", "id": "REDHAT-RHSA-2010-0978.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51156", "title": "RHEL 5 : openssl (RHSA-2010:0978)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0978. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51156);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/11/28 11:42:05\");\n\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_bugtraq_id(45164, 45254);\n script_xref(name:\"RHSA\", value:\"2010:0978\");\n\n script_name(english:\"RHEL 5 : openssl (RHSA-2010:0978)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssl packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server\ncode. A remote attacker could possibly use this flaw to change the\nciphersuite associated with a cached session stored on the server, if\nthe server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option,\npossibly forcing the client to use a weaker ciphersuite after resuming\nthe session. (CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the\nSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this\nbug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. For the update to\ntake effect, all services linked to the OpenSSL library must be\nrestarted, or the system rebooted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-7270\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-4180\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2010:0978\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected openssl, openssl-devel and / or openssl-perl\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0978\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"openssl-0.9.8e-12.el5_5.7\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"openssl-devel-0.9.8e-12.el5_5.7\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"openssl-perl-0.9.8e-12.el5_5.7\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"openssl-perl-0.9.8e-12.el5_5.7\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"openssl-perl-0.9.8e-12.el5_5.7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-devel / openssl-perl\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-01-16T20:17:04", "bulletinFamily": "scanner", "description": "The remote HP ProCurve switch is missing a software update that\ncorrects an issue where an attacker could remotely cause an unauthorized\ninformation disclosure.", "modified": "2018-07-12T00:00:00", "published": "2013-08-14T00:00:00", "id": "HP_PROCURVE_HPSBPV02891.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69346", "title": "HP ProCurve Switches Remote Unauthorized Information Disclosure", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69346);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\"CVE-2008-7270\");\n script_bugtraq_id(45254);\n script_xref(name:\"HP\", value:\"HPSBPV02891\");\n script_xref(name:\"HP\", value:\"SSRT101113\");\n script_xref(name:\"HP\", value:\"emr_na-c03819065\");\n\n script_name(english:\"HP ProCurve Switches Remote Unauthorized Information Disclosure\");\n script_summary(english:\"Checks model number and software version to determine presence of flaw\");\n\n script_set_attribute(attribute: \"synopsis\", value:\"The remote host is missing a vendor-supplied software update.\");\n script_set_attribute(attribute: \"description\", value:\n\"The remote HP ProCurve switch is missing a software update that\ncorrects an issue where an attacker could remotely cause an unauthorized\ninformation disclosure.\");\n script_set_attribute(attribute: \"solution\", value:\"Upgrade to the appropriate software version or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n # https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03819065\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c5c3056\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/09/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:hp:procurve_switch\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Misc.\");\n\n script_dependencies(\"hp_procurve_version.nasl\");\n script_require_keys(\"Host/HP_Switch\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\n\n# ###########################\n# function assumes both a and b are of the form K.15.12\n# ###########################\nfunction version_cmp(a, b)\n{\n local_var i, vala, valb, max;\n\n a = split(a, sep:'.', keep:FALSE);\n b = split(b, sep:'.', keep:FALSE);\n\n # check that the first string part matches\n if (toupper(a[0]) != toupper(b[0])) return -2;\n\n max = max_index(a);\n if (max_index(b) > max) max = max_index(b);\n\n # now loop over all of the remaining int parts\n for ( i = 1; i < max ; i ++ )\n {\n if (i >= max_index(a)) vala = 0;\n else vala = int(a[i]);\n if (i >= max_index(b)) valb = 0;\n else valb = int(b[i]);\n\n if ( vala < valb )\n return -1;\n else if ( vala > valb )\n return 1;\n }\n return 0;\n}\n\nif ( ! get_kb_item('Host/HP_Switch') ) exit(0, \"This is not an HP Switch.\");\n\nrev = get_kb_item(\"Host/HP_Switch/SoftwareRevision\");\nmodel = get_kb_item(\"Host/HP_Switch/Model\");\nif ( (!rev) || (!model) || (rev == \"unknown\") || (model == \"unknown\") )\n exit(0, \"The model number and/or software version could not be obtained.\");\n\nflag = 0;\npatched_ver = \"\";\n\n# A.14.20 or A.15.06\nif ( (model == \"J9565A\") ||\n (model == \"J9562A\") )\n{\n if (version_cmp(a:\"A.14.20\", b:rev) > 0)\n {\n patched_ver = \"A.14.20 or A.15.06\";\n flag++;\n }\n if ( (version_cmp(a:\"A.15.0\", b:rev) <= 0) && (version_cmp(a:\"A.15.06\", b:rev) > 0) )\n {\n patched_ver = \"A.15.06\";\n flag++;\n }\n}\n\n# E.11.34\nif ( (model == \"J4850A\") ||\n (model == \"J8166A\") ||\n (model == \"J4819A\") ||\n (model == \"J8167A\") ||\n (model == \"J4849A\") ||\n (model == \"J4849B\") ||\n (model == \"J4848A\") ||\n (model == \"J4848B\") )\n if (version_cmp(a:\"E.11.34\", b:rev) > 0)\n {\n patched_ver = \"E.11.34\";\n flag++;\n }\n\n# H.10.108\nif ( (model == \"J8762A\") ||\n (model == \"J4900A\") ||\n (model == \"J4900B\") ||\n (model == \"J4900C\") ||\n (model == \"J4899A\") ||\n (model == \"J4899B\") ||\n (model == \"J4899C\") ||\n (model == \"J8164A\") ||\n (model == \"J8165A\") )\n if (version_cmp(a:\"H.10.108\", b:rev) > 0)\n {\n patched_ver = \"H.10.108\";\n flag++;\n }\n\n# i.10.98\nif ( (model == \"J4903A\") ||\n (model == \"J4904A\") )\n if (version_cmp(a:\"i.10.98\", b:rev) > 0)\n {\n patched_ver = \"i.10.98\";\n flag++;\n }\n\n# J.14.61 or J.15.06\nif ( (model == \"J9299A\") ||\n (model == \"J9298A\") )\n{\n if (version_cmp(a:\"J.14.61\", b:rev) > 0)\n {\n patched_ver = \"J.14.61 or J.15.06\";\n flag++;\n }\n if ( (version_cmp(a:\"J.15.0\", b:rev) <= 0) && (version_cmp(a:\"J.15.06\", b:rev) > 0) )\n {\n patched_ver = \"J.15.06\";\n flag++;\n }\n}\n\n# L.11.38\nif ( (model == \"J8772B\") ||\n (model == \"J8770A\") ||\n (model == \"J9064A\") ||\n (model == \"J8773A\") ||\n (model == \"J9030A\") ||\n (model == \"J8775B\") ||\n (model == \"J8771A\") ||\n (model == \"J8772A\") ||\n (model == \"J8774A\") ||\n (model == \"J8775A\") )\n if (version_cmp(a:\"L.11.38\", b:rev) > 0)\n {\n patched_ver = \"L.11.38\";\n flag++;\n }\n\n# M.10.95\nif ( (model == \"J4906A\") ||\n (model == \"J4905A\") )\n if (version_cmp(a:\"M.10.95\", b:rev) > 0)\n {\n patched_ver = \"M.10.95\";\n flag++;\n }\n\n# N.11.56\nif ( (model == \"J9021A\") ||\n (model == \"J9022A\") )\n if (version_cmp(a:\"N.11.56\", b:rev) > 0)\n {\n patched_ver = \"N.11.56\";\n flag++;\n }\n\n# Q.11.55\nif ( (model == \"J9019B\") ||\n (model == \"J9019A\") )\n if (version_cmp(a:\"Q.11.55\", b:rev) > 0)\n {\n patched_ver = \"Q.11.55\";\n flag++;\n }\n\n# R.11.92\nif ( (model == \"J9085A\") ||\n (model == \"J9087A\") ||\n (model == \"J9086A\") ||\n (model == \"J9088A\") ||\n (model == \"J9089A\") )\n if (version_cmp(a:\"R.11.92\", b:rev) > 0)\n {\n patched_ver = \"R.11.92\";\n flag++;\n }\n\n# S.14.36 or S.15.06\nif ( (model == \"J9138A\") ||\n (model == \"J9137A\") )\n{\n if (version_cmp(a:\"S.14.36\", b:rev) > 0)\n {\n patched_ver = \"S.14.36 or S.15.06\";\n flag++;\n }\n if ( (version_cmp(a:\"S.15.0\", b:rev) <= 0) && (version_cmp(a:\"S.15.06\", b:rev) > 0) )\n {\n patched_ver = \"S.15.06\";\n flag++;\n }\n}\n\n# U.11.43\nif (model == \"J9020A\")\n if (version_cmp(a:\"U.11.43\", b:rev) > 0)\n {\n patched_ver = \"U.11.43\";\n flag++;\n }\n\n# Y.11.38\nif ( (model == \"J9279A\") ||\n (model == \"J9280A\") )\n if (version_cmp(a:\"Y.11.38\", b:rev) > 0)\n {\n patched_ver = \"Y.11.38\";\n flag++;\n }\n\n# report as needed\nif (flag)\n{\n report = string(\n \"The Remote HP ProCurve system is not patched :\\n\",\n \" Model # : \", model, \"\\n\",\n \"\\n\",\n \" Current Software Revision : \", rev, \"\\n\",\n \" Patched Software Revision : \", patched_ver, \"\\n\"\n );\n\n security_warning(port:0, extra:report);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-01-16T20:16:36", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2010:0173 :\n\nUpdated openssl096b packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 3 and 4.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could cause an application using\nthe OpenSSL library to crash or, possibly, execute arbitrary code.\n(CVE-2009-3245)\n\nAll openssl096b users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. For the update to\ntake effect, all programs using the openssl096b library must be\nrestarted.", "modified": "2016-05-06T00:00:00", "published": "2013-07-12T00:00:00", "id": "ORACLELINUX_ELSA-2010-0173.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68023", "title": "Oracle Linux 3 / 4 : openssl096b (ELSA-2010-0173)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2010:0173 and \n# Oracle Linux Security Advisory ELSA-2010-0173 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68023);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2016/05/06 16:53:47 $\");\n\n script_cve_id(\"CVE-2009-3245\");\n script_bugtraq_id(38562);\n script_xref(name:\"RHSA\", value:\"2010:0173\");\n\n script_name(english:\"Oracle Linux 3 / 4 : openssl096b (ELSA-2010-0173)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2010:0173 :\n\nUpdated openssl096b packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 3 and 4.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL did not always check the return value\nof the bn_wexpand() function. An attacker able to trigger a memory\nallocation failure in that function could cause an application using\nthe OpenSSL library to crash or, possibly, execute arbitrary code.\n(CVE-2009-3245)\n\nAll openssl096b users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. For the update to\ntake effect, all programs using the openssl096b library must be\nrestarted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2010-March/001408.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2010-March/001409.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl096b package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl096b\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 3 / 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"openssl096b-0.9.6b-16.50\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"openssl096b-0.9.6b-16.50\")) flag++;\n\nif (rpm_check(release:\"EL4\", reference:\"openssl096b-0.9.6b-22.46.el4_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl096b\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-02T00:03:15", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2018-04-06T00:00:00", "published": "2011-01-31T00:00:00", "id": "OPENVAS:1361412562310880460", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880460", "title": "CentOS Update for openssl CESA-2010:0977 centos4 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2010:0977 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n It was discovered that OpenSSL did not always check the return value of the\n bn_wexpand() function. An attacker able to trigger a memory allocation\n failure in that function could possibly crash an application using the\n OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n \n All OpenSSL users should upgrade to these updated packages, which contain\n backported patches to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"openssl on CentOS 4\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-January/017235.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880460\");\n script_version(\"$Revision: 9371 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:55:06 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-31 15:15:14 +0100 (Mon, 31 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0977\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_name(\"CentOS Update for openssl CESA-2010:0977 centos4 i386\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T11:48:43", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2017-12-14T00:00:00", "published": "2010-12-28T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=870372", "id": "OPENVAS:870372", "title": "RedHat Update for openssl RHSA-2010:0977-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssl RHSA-2010:0977-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n It was discovered that OpenSSL did not always check the return value of the\n bn_wexpand() function. An attacker able to trigger a memory allocation\n failure in that function could possibly crash an application using the\n OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n \n All OpenSSL users should upgrade to these updated packages, which contain\n backported patches to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\n\ntag_affected = \"openssl on Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2010-December/msg00026.html\");\n script_id(870372);\n script_version(\"$Revision: 8109 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-14 07:31:15 +0100 (Thu, 14 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-28 07:11:56 +0100 (Tue, 28 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2010:0977-01\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_name(\"RedHat Update for openssl RHSA-2010:0977-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:58:09", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2018-04-06T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881366", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881366", "title": "CentOS Update for openssl CESA-2010:0977 centos4 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2010:0977 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n\n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n\n It was discovered that OpenSSL did not always check the return value of the\n bn_wexpand() function. An attacker able to trigger a memory allocation\n failure in that function could possibly crash an application using the\n OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n\n All OpenSSL users should upgrade to these updated packages, which contain\n backported patches to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\n\ntag_affected = \"openssl on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-January/017236.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881366\");\n script_version(\"$Revision: 9352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:13:02 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:36:42 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0977\");\n script_name(\"CentOS Update for openssl CESA-2010:0977 centos4 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T10:54:30", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2018-01-01T00:00:00", "published": "2010-12-28T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870372", "id": "OPENVAS:1361412562310870372", "title": "RedHat Update for openssl RHSA-2010:0977-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssl RHSA-2010:0977-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n It was discovered that OpenSSL did not always check the return value of the\n bn_wexpand() function. An attacker able to trigger a memory allocation\n failure in that function could possibly crash an application using the\n OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n \n All OpenSSL users should upgrade to these updated packages, which contain\n backported patches to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\n\ntag_affected = \"openssl on Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2010-December/msg00026.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870372\");\n script_version(\"$Revision: 8266 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 08:28:32 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-28 07:11:56 +0100 (Tue, 28 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2010:0977-01\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_name(\"RedHat Update for openssl RHSA-2010:0977-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.7a~43.17.el4_8.6\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-18T11:07:39", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2018-01-17T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881366", "id": "OPENVAS:881366", "title": "CentOS Update for openssl CESA-2010:0977 centos4 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2010:0977 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n\n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n\n It was discovered that OpenSSL did not always check the return value of the\n bn_wexpand() function. An attacker able to trigger a memory allocation\n failure in that function could possibly crash an application using the\n OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n\n All OpenSSL users should upgrade to these updated packages, which contain\n backported patches to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\n\ntag_affected = \"openssl on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-January/017236.html\");\n script_id(881366);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:36:42 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0977\");\n script_name(\"CentOS Update for openssl CESA-2010:0977 centos4 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:55:42", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2017-07-10T00:00:00", "published": "2011-01-31T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=880460", "id": "OPENVAS:880460", "title": "CentOS Update for openssl CESA-2010:0977 centos4 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2010:0977 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n It was discovered that OpenSSL did not always check the return value of the\n bn_wexpand() function. An attacker able to trigger a memory allocation\n failure in that function could possibly crash an application using the\n OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n \n All OpenSSL users should upgrade to these updated packages, which contain\n backported patches to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"openssl on CentOS 4\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-January/017235.html\");\n script_id(880460);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-31 15:15:14 +0100 (Mon, 31 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0977\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2009-3245\", \"CVE-2010-4180\");\n script_name(\"CentOS Update for openssl CESA-2010:0977 centos4 i386\");\n\n script_summary(\"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.7a~43.17.el4_8.6\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-28T18:25:32", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2010-0978", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310122287", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122287", "title": "Oracle Linux Local Check: ELSA-2010-0978", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2010-0978.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122287\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:16:02 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2010-0978\");\n script_tag(name:\"insight\", value:\"ELSA-2010-0978 - openssl security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2010-0978\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2010-0978.html\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.8e~12.el5_5.7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.8e~12.el5_5.7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.8e~12.el5_5.7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:55:47", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=880636", "id": "OPENVAS:880636", "title": "CentOS Update for openssl CESA-2010:0978 centos5 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2010:0978 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n All OpenSSL users should upgrade to these updated packages, which contain a\n backported patch to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"openssl on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2010-December/017211.html\");\n script_id(880636);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2010:0978\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_name(\"CentOS Update for openssl CESA-2010:0978 centos5 i386\");\n\n script_summary(\"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.8e~12.el5_5.7\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.8e~12.el5_5.7\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.8e~12.el5_5.7\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-02T10:54:12", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2017-12-22T00:00:00", "published": "2010-12-28T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870370", "id": "OPENVAS:1361412562310870370", "type": "openvas", "title": "RedHat Update for openssl RHSA-2010:0978-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssl RHSA-2010:0978-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n All OpenSSL users should upgrade to these updated packages, which contain a\n backported patch to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\n\ntag_affected = \"openssl on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2010-December/msg00027.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870370\");\n script_version(\"$Revision: 8228 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-22 08:29:52 +0100 (Fri, 22 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-28 07:11:56 +0100 (Tue, 28 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"RHSA\", value: \"2010:0978-01\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_name(\"RedHat Update for openssl RHSA-2010:0978-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.8e~12.el5_5.7\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~0.9.8e~12.el5_5.7\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.8e~12.el5_5.7\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.8e~12.el5_5.7\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-02T00:02:55", "bulletinFamily": "scanner", "description": "Check for the Version of openssl", "modified": "2018-04-06T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:1361412562310880636", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880636", "title": "CentOS Update for openssl CESA-2010:0978 centos5 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2010:0978 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\n and Transport Layer Security (TLS v1) protocols, as well as a\n full-strength, general purpose cryptography library.\n\n A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\n A remote attacker could possibly use this flaw to change the ciphersuite\n associated with a cached session stored on the server, if the server\n enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\n forcing the client to use a weaker ciphersuite after resuming the session.\n (CVE-2010-4180, CVE-2008-7270)\n \n Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n option has no effect and this bug workaround can no longer be enabled.\n \n All OpenSSL users should upgrade to these updated packages, which contain a\n backported patch to resolve these issues. For the update to take effect,\n all services linked to the OpenSSL library must be restarted, or the system\n rebooted.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"openssl on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2010-December/017211.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880636\");\n script_version(\"$Revision: 9371 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:55:06 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2010:0978\");\n script_cve_id(\"CVE-2008-7270\", \"CVE-2010-4180\");\n script_name(\"CentOS Update for openssl CESA-2010:0978 centos5 i386\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.8e~12.el5_5.7\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.8e~12.el5_5.7\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.8e~12.el5_5.7\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "centos": [{"lastseen": "2017-10-03T18:25:20", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2010:0977\n\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\nA remote attacker could possibly use this flaw to change the ciphersuite\nassociated with a cached session stored on the server, if the server\nenabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\nforcing the client to use a weaker ciphersuite after resuming the session.\n(CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\noption has no effect and this bug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value of the\nbn_wexpand() function. An attacker able to trigger a memory allocation\nfailure in that function could possibly crash an application using the\nOpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. For the update to take effect,\nall services linked to the OpenSSL library must be restarted, or the system\nrebooted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-January/017235.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-January/017236.html\n\n**Affected packages:**\nopenssl\nopenssl-devel\nopenssl-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0977.html", "modified": "2011-01-27T04:12:26", "published": "2011-01-27T04:11:13", "href": "http://lists.centos.org/pipermail/centos-announce/2011-January/017235.html", "id": "CESA-2010:0977", "title": "openssl security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-03T18:26:14", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2010:0978\n\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\nA remote attacker could possibly use this flaw to change the ciphersuite\nassociated with a cached session stored on the server, if the server\nenabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\nforcing the client to use a weaker ciphersuite after resuming the session.\n(CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\noption has no effect and this bug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which contain a\nbackported patch to resolve these issues. For the update to take effect,\nall services linked to the OpenSSL library must be restarted, or the system\nrebooted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-December/017211.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-December/017212.html\n\n**Affected packages:**\nopenssl\nopenssl-devel\nopenssl-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0978.html", "modified": "2010-12-13T20:19:08", "published": "2010-12-13T20:19:08", "href": "http://lists.centos.org/pipermail/centos-announce/2010-December/017211.html", "id": "CESA-2010:0978", "title": "openssl security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-10-12T14:44:50", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2010:0173\n\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL did not always check the return value of the\nbn_wexpand() function. An attacker able to trigger a memory allocation\nfailure in that function could cause an application using the OpenSSL\nlibrary to crash or, possibly, execute arbitrary code. (CVE-2009-3245)\n\nAll openssl096b users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. For the update to take\neffect, all programs using the openssl096b library must be restarted.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-March/016582.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-March/016583.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-March/016611.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-March/016612.html\n\n**Affected packages:**\nopenssl096b\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0173.html", "modified": "2010-03-28T21:48:23", "published": "2010-03-25T23:40:26", "href": "http://lists.centos.org/pipermail/centos-announce/2010-March/016582.html", "id": "CESA-2010:0173", "title": "openssl096b security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T17:41:07", "bulletinFamily": "unix", "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\nA remote attacker could possibly use this flaw to change the ciphersuite\nassociated with a cached session stored on the server, if the server\nenabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\nforcing the client to use a weaker ciphersuite after resuming the session.\n(CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\noption has no effect and this bug workaround can no longer be enabled.\n\nIt was discovered that OpenSSL did not always check the return value of the\nbn_wexpand() function. An attacker able to trigger a memory allocation\nfailure in that function could possibly crash an application using the\nOpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245)\n\nAll OpenSSL users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. For the update to take effect,\nall services linked to the OpenSSL library must be restarted, or the system\nrebooted.\n", "modified": "2017-09-08T12:19:53", "published": "2010-12-13T05:00:00", "id": "RHSA-2010:0977", "href": "https://access.redhat.com/errata/RHSA-2010:0977", "type": "redhat", "title": "(RHSA-2010:0977) Moderate: openssl security update", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T17:41:42", "bulletinFamily": "unix", "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\nA remote attacker could possibly use this flaw to change the ciphersuite\nassociated with a cached session stored on the server, if the server\nenabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\nforcing the client to use a weaker ciphersuite after resuming the session.\n(CVE-2010-4180, CVE-2008-7270)\n\nNote: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\noption has no effect and this bug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which contain a\nbackported patch to resolve these issues. For the update to take effect,\nall services linked to the OpenSSL library must be restarted, or the system\nrebooted.\n", "modified": "2017-09-08T12:16:17", "published": "2010-12-13T05:00:00", "id": "RHSA-2010:0978", "href": "https://access.redhat.com/errata/RHSA-2010:0978", "type": "redhat", "title": "(RHSA-2010:0978) Moderate: openssl security update", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-12-11T17:44:23", "bulletinFamily": "unix", "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL did not always check the return value of the\nbn_wexpand() function. An attacker able to trigger a memory allocation\nfailure in that function could cause an application using the OpenSSL\nlibrary to crash or, possibly, execute arbitrary code. (CVE-2009-3245)\n\nAll openssl096b users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. For the update to take\neffect, all programs using the openssl096b library must be restarted.", "modified": "2018-05-26T04:26:17", "published": "2010-03-25T04:00:00", "id": "RHSA-2010:0173", "href": "https://access.redhat.com/errata/RHSA-2010:0173", "type": "redhat", "title": "(RHSA-2010:0173) Important: openssl096b security update", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:42:28", "bulletinFamily": "unix", "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nA ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.\nA remote attacker could possibly use this flaw to change the ciphersuite\nassociated with a cached session stored on the server, if the server\nenabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly\nforcing the client to use a weaker ciphersuite after resuming the session.\n(CVE-2010-4180)\n\nNote: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\noption has no effect and this bug workaround can no longer be enabled.\n\nAll OpenSSL users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. For the update to take effect, all\nservices linked to the OpenSSL library must be restarted, or the system\nrebooted.\n", "modified": "2018-06-06T20:24:27", "published": "2010-12-13T05:00:00", "id": "RHSA-2010:0979", "href": "https://access.redhat.com/errata/RHSA-2010:0979", "type": "redhat", "title": "(RHSA-2010:0979) Moderate: openssl security update", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openssl": [{"lastseen": "2016-09-26T17:22:35", "bulletinFamily": "software", "description": "It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code Reported by Martin Olsson, Neel Mehta.", "modified": "2010-02-23T00:00:00", "published": "2010-02-23T00:00:00", "id": "OPENSSL:CVE-2009-3245", "href": "https://www.openssl.org/news/vulnerabilities.html", "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2009-3245)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:22:35", "bulletinFamily": "software", "description": "A flaw in the OpenSSL SSL/TLS server code where an old bug workaround allows malicious clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. This issue only affects OpenSSL based SSL/TLS server if it uses OpenSSL's internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this by using the SSL_OP_ALL option). Reported by Martin Rex.", "modified": "2010-12-02T00:00:00", "published": "2010-12-02T00:00:00", "id": "OPENSSL:CVE-2010-4180", "href": "https://www.openssl.org/news/vulnerabilities.html", "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2010-4180)", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:39:45", "bulletinFamily": "unix", "description": "[0.9.8e-12.7]\n- fix CVE-2010-4180 - completely disable code for\n SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)", "modified": "2010-12-13T00:00:00", "published": "2010-12-13T00:00:00", "id": "ELSA-2010-0978", "href": "http://linux.oracle.com/errata/ELSA-2010-0978.html", "title": "openssl security update", "type": "oraclelinux", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T01:47:52", "bulletinFamily": "unix", "description": "[0.9.6b-22.46.1]\n- CVE-2009-3245 - add missing checks for bn_wexpand failures (#570924)", "modified": "2010-03-25T00:00:00", "published": "2010-03-25T00:00:00", "id": "ELSA-2010-0173", "href": "http://linux.oracle.com/errata/ELSA-2010-0173.html", "title": "openssl096b security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:47:53", "bulletinFamily": "unix", "description": "[1.0.0-4.2]\n- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864\n (#649304)\n[1.0.0-4.1]\n- fix race in extension parsing code - CVE-2010-3864 (#649304)", "modified": "2011-02-10T00:00:00", "published": "2011-02-10T00:00:00", "id": "ELSA-2010-0979", "href": "http://linux.oracle.com/errata/ELSA-2010-0979.html", "title": "openssl security update", "type": "oraclelinux", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "\r\n===========================================================\r\nUbuntu Security Notice USN-1029-1 December 08, 2010\r\nopenssl vulnerabilities\r\nCVE-2008-7270, CVE-2010-4180\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 6.06 LTS\r\nUbuntu 8.04 LTS\r\nUbuntu 9.10\r\nUbuntu 10.04 LTS\r\nUbuntu 10.10\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 6.06 LTS:\r\n libssl0.9.8 0.9.8a-7ubuntu0.14\r\n\r\nUbuntu 8.04 LTS:\r\n libssl0.9.8 0.9.8g-4ubuntu3.13\r\n\r\nUbuntu 9.10:\r\n libssl0.9.8 0.9.8g-16ubuntu3.5\r\n\r\nUbuntu 10.04 LTS:\r\n libssl0.9.8 0.9.8k-7ubuntu8.5\r\n\r\nUbuntu 10.10:\r\n libssl0.9.8 0.9.8o-1ubuntu4.3\r\n\r\nAfter a standard system update you need to reboot your computer to make\r\nall the necessary changes.\r\n\r\nDetails follow:\r\n\r\nIt was discovered that an old bug workaround in the SSL/TLS\r\nserver code allowed an attacker to modify the stored session cache\r\nciphersuite. This could possibly allow an attacker to downgrade the\r\nciphersuite to a weaker one on subsequent connections. (CVE-2010-4180)\r\n\r\nIt was discovered that an old bug workaround in the SSL/TLS server\r\ncode allowed allowed an attacker to modify the stored session cache\r\nciphersuite. An attacker could possibly take advantage of this to\r\nforce the use of a disabled cipher. This vulnerability only affects\r\nthe versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and\r\nUbuntu 9.10. (CVE-2008-7270)\r\n\r\n\r\nUpdated packages for Ubuntu 6.06 LTS:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.diff.gz\r\n Size/MD5: 67296 3de8e480bcec0653b94001366e2f1f27\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.dsc\r\n Size/MD5: 1465 a5f93020840f693044eb64af528fd01e\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz\r\n Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_amd64.udeb\r\n Size/MD5: 572012 b3792d19d5f7783929e473b6eb1e239c\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_amd64.deb\r\n Size/MD5: 2181644 746b74e9b6c42731ff2021c396789708\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_amd64.deb\r\n Size/MD5: 1696628 abe942986698bf86938312c5e344e0ba\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_amd64.deb\r\n Size/MD5: 880292 9d6d854dcef14c90ce24c1aa232a418a\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_amd64.deb\r\n Size/MD5: 998466 9c51c334fd6c0b7c7b73340a01af61c8\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_i386.udeb\r\n Size/MD5: 509644 e1617d062d546f7dad2298bf6463bc3c\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_i386.deb\r\n Size/MD5: 2031000 6755c67294ab2ff03255a3bf7079ab26\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_i386.deb\r\n Size/MD5: 5195206 37fcd0cdefd012f0ea7d79d0e6a1b48f\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_i386.deb\r\n Size/MD5: 2660326 9083ddc71b89e4f4e95c4ca999bcedba\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_i386.deb\r\n Size/MD5: 979408 518eaad303d089ab7dcc1b89fd019f19\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_powerpc.udeb\r\n Size/MD5: 558018 0e94d5f570a83f4b41bef642e032c256\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_powerpc.deb\r\n Size/MD5: 2189034 6588292725cfa33c8d56a61c3d8120b1\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_powerpc.deb\r\n Size/MD5: 1740524 0b98e950e59c538333716ee939710150\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_powerpc.deb\r\n Size/MD5: 865778 d1e44ecc73dea8a8a11cd4d6b7c38abf\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_powerpc.deb\r\n Size/MD5: 984342 a3ff875c30b6721a1d6dd59d9a6393e0\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_sparc.udeb\r\n Size/MD5: 531126 7f598ce48b981eece01e0a1044bbdcc5\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_sparc.deb\r\n Size/MD5: 2099640 38d18490bd40fcc6ee127965e460e6aa\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_sparc.deb\r\n Size/MD5: 3977666 f532337b8bc186ee851d69f8af8f7fe3\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_sparc.deb\r\n Size/MD5: 2101356 501fd6e860368e3682f9d6035ed3413d\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_sparc.deb\r\n Size/MD5: 992232 52bd2a78e8d2452fbe873658433fbe45\r\n\r\nUpdated packages for Ubuntu 8.04 LTS:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13.diff.gz\r\n Size/MD5: 73984 2e4386a45d0f3a7e3bbf13f1cd4f62fb\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13.dsc\r\n Size/MD5: 1563 40d181ca10759fb3d78a24d3b61d6055\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz\r\n Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-4ubuntu3.13_all.deb\r\n Size/MD5: 631720 68f4c61790241e78736eb6a2c2280a0d\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.13_amd64.udeb\r\n Size/MD5: 604222 f1aeb30abc9ff9f73749dced0982c312\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.13_amd64.deb\r\n Size/MD5: 2084282 472728da8f3b8474d23e128ab686b777\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.13_amd64.deb\r\n Size/MD5: 1621532 4aad22d7f98d57f9d582123f354bb499\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.13_amd64.deb\r\n Size/MD5: 941454 fbeb5e8cc138872158931bbde0be2336\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13_amd64.deb\r\n Size/MD5: 392758 e337373509761ee9c3e54d26c3867cd6\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.13_i386.udeb\r\n Size/MD5: 564986 a9cfb58458322b5c3253f5f21fcdff83\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.13_i386.deb\r\n Size/MD5: 1951390 187734df71deb12de0aa6ba3da3ddfb2\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.13_i386.deb\r\n Size/MD5: 5415092 1919e018dc2473d10f05626cfdd4385a\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.13_i386.deb\r\n Size/MD5: 2859870 7b5ef116df18489408becd21d9d52649\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13_i386.deb\r\n Size/MD5: 387802 2fb486f8f17dfc6d384e54465f66f8a9\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.13_lpia.udeb\r\n Size/MD5: 535616 d196d8b0dc3d0c9864862f88a400f46e\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.13_lpia.deb\r\n Size/MD5: 1932070 bc1a33e24ce141477caf0a4145d10284\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.13_lpia.deb\r\n Size/MD5: 1532992 6e69c3e3520bafbdbfbf2ff09a822530\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.13_lpia.deb\r\n Size/MD5: 852392 07d0adb80cd03837fd9d8ecbda86ea09\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13_lpia.deb\r\n Size/MD5: 392096 c90b67fc5dbc0353a60b840ccdd632bd\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.13_powerpc.udeb\r\n Size/MD5: 610446 e5db78f8999ea4da0e5ac1b6fdc35618\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.13_powerpc.deb\r\n Size/MD5: 2091338 70f449d9738b0a05d293d97facb87f5e\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.13_powerpc.deb\r\n Size/MD5: 1658830 5dba0f3b3eb2e8ecc9953a5eba7e9339\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.13_powerpc.deb\r\n Size/MD5: 953732 406c11752e6a69cea4f7c65e5c23f2bb\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13_powerpc.deb\r\n Size/MD5: 401076 c7572a53be4971e4537e1a3c52497a85\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.13_sparc.udeb\r\n Size/MD5: 559792 69edc52b1e3b34fcb302fc7a9504223e\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.13_sparc.deb\r\n Size/MD5: 1995782 dbf2c667cf2be687693d435e52959cfa\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.13_sparc.deb\r\n Size/MD5: 3927018 4a16b21b3e212031f4bd6e618197f8e2\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.13_sparc.deb\r\n Size/MD5: 2264418 d0e9ea2c9df5406bf0b94746ce34a189\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.13_sparc.deb\r\n Size/MD5: 400272 6adb67ab18511683369b980fddb15e94\r\n\r\nUpdated packages for Ubuntu 9.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5.diff.gz\r\n Size/MD5: 75247 09b8215b07ab841c39f8836ca47ee01d\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5.dsc\r\n Size/MD5: 2078 0f11b8b1f104fdd3b7ef98b8f289e57a\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz\r\n Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-16ubuntu3.5_all.deb\r\n Size/MD5: 642466 eecc336759fa7b99eaed2ef541499e97\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16ubuntu3.5_amd64.udeb\r\n Size/MD5: 628186 29b1c5d8b32a0678a48d0a89556508e3\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-16ubuntu3.5_amd64.deb\r\n Size/MD5: 2119392 d6862813a343ee9472b90f7139e7dc48\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16ubuntu3.5_amd64.deb\r\n Size/MD5: 1642856 2d76609a9262f9b5f2784c23e451baff\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-16ubuntu3.5_amd64.deb\r\n Size/MD5: 967526 afc32aefadd062851e456216d11d5a97\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5_amd64.deb\r\n Size/MD5: 402562 5aa66b898f890baac5194ada999ab1d3\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16ubuntu3.5_i386.udeb\r\n Size/MD5: 571494 c6ac5d5bce8786699abf9fd852c46393\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-16ubuntu3.5_i386.deb\r\n Size/MD5: 1979806 bdeb6615f192f714451544068c74812d\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16ubuntu3.5_i386.deb\r\n Size/MD5: 5630550 f26ccb94e593f7086a4e3b71cff68e3f\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-16ubuntu3.5_i386.deb\r\n Size/MD5: 2927046 5e0b91471526f867012b362cdcda1068\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5_i386.deb\r\n Size/MD5: 397776 07f6c0d04be2bd89d8e40fd8c13285bc\r\n\r\n armel architecture (ARM Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16ubuntu3.5_armel.udeb\r\n Size/MD5: 541448 2491f890b8dd2e0a93416d423ec5cc1b\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-16ubuntu3.5_armel.deb\r\n Size/MD5: 1965226 20c3261921cd9d235ed2647f0756b045\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16ubuntu3.5_armel.deb\r\n Size/MD5: 1540070 9ffa955952e4d670ad29a9b39243d629\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-16ubuntu3.5_armel.deb\r\n Size/MD5: 856998 0be4e4cd43bed15fc8363a879bf58c39\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5_armel.deb\r\n Size/MD5: 393692 802f3c5abea68a6054febb334452a7c0\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16ubuntu3.5_lpia.udeb\r\n Size/MD5: 547524 6c19d36e99270da89d4adf0f76bdb0eb\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-16ubuntu3.5_lpia.deb\r\n Size/MD5: 1957254 5ee4cfcae8860529992874afc9f325fb\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16ubuntu3.5_lpia.deb\r\n Size/MD5: 1590464 11e400cf0cc2c2e465adaecc9d477c75\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-16ubuntu3.5_lpia.deb\r\n Size/MD5: 868712 06e54b85b80b5f367bde9743d1aedbff\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5_lpia.deb\r\n Size/MD5: 399902 0efbc32f3738c140b1c3efe2b1113aeb\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16ubuntu3.5_powerpc.udeb\r\n Size/MD5: 619104 e40b223ab89356348cf4c1de46bd8d77\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-16ubuntu3.5_powerpc.deb\r\n Size/MD5: 2115846 01770253efeca9c2f7c5e432c6d6bf95\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16ubuntu3.5_powerpc.deb\r\n Size/MD5: 1697564 24d665973abab4ecbe08813d226556f2\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-16ubuntu3.5_powerpc.deb\r\n Size/MD5: 951140 f59e1d23b2b21412d8f068b0475fe773\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5_powerpc.deb\r\n Size/MD5: 399376 3703f492fe145305ee7766e2a0d52c5c\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16ubuntu3.5_sparc.udeb\r\n Size/MD5: 563630 1df247a9584dbeb62fffde7b42c21a2f\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-16ubuntu3.5_sparc.deb\r\n Size/MD5: 2008260 d79476e6fa043ad83bd12fe9531f8b22\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16ubuntu3.5_sparc.deb\r\n Size/MD5: 3995256 b60bf440e4e598947db86c4bf020e6fa\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-16ubuntu3.5_sparc.deb\r\n Size/MD5: 2283532 0799ba2774806fead522ef6972cde580\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-16ubuntu3.5_sparc.deb\r\n Size/MD5: 409314 82165b0cf05d27e318f0d64df876f8f8\r\n\r\nUpdated packages for Ubuntu 10.04 LTS:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5.diff.gz\r\n Size/MD5: 112331 02b0f3bdc024b25dc2cb168628a42dac\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5.dsc\r\n Size/MD5: 2102 de69229286f2c7eb52183e2ededb0a48\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k.orig.tar.gz\r\n Size/MD5: 3852259 e555c6d58d276aec7fdc53363e338ab3\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8k-7ubuntu8.5_all.deb\r\n Size/MD5: 640566 023f6b5527052d0341c40cbbf64f8e54\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.5_amd64.udeb\r\n Size/MD5: 630234 2d2c5a442d4d2abc2e49feaef783c710\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.5_amd64.deb\r\n Size/MD5: 2143676 c9bf70ec94df02a89d99591471e44787\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.5_amd64.deb\r\n Size/MD5: 1650636 485f318a2457012aa489823e87d4f9b1\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.5_amd64.udeb\r\n Size/MD5: 136130 e16feacb49a52ef72aa69da4f63718a8\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.5_amd64.deb\r\n Size/MD5: 979624 6a0c5f93f6371c4b41c0bccbc1e9b217\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5_amd64.deb\r\n Size/MD5: 406378 2aee12190747b060f4ad6bfd3a182bd6\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.5_i386.udeb\r\n Size/MD5: 582640 ce87be9268c6ce3550bb7935460b3976\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.5_i386.deb\r\n Size/MD5: 2006462 cb6fe50961fe89ee67f0c13c26d424f5\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.5_i386.deb\r\n Size/MD5: 5806248 7c21c1a2ea1ce8201904b2a99537cad6\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.5_i386.udeb\r\n Size/MD5: 129708 77ff3896e3c541f1d9c0eb161c919882\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.5_i386.deb\r\n Size/MD5: 3014932 4e61de0d021f49ac5fc2884d2d252854\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5_i386.deb\r\n Size/MD5: 400398 7654a219a640549e8d34bb91e34a815b\r\n\r\n armel architecture (ARM Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.5_armel.udeb\r\n Size/MD5: 532306 9a4d5169e5e3429581bb16d6e61e334a\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.5_armel.deb\r\n Size/MD5: 1935426 fb725096f798314e1cd76248599ec61a\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.5_armel.deb\r\n Size/MD5: 1624382 6833d33bed6fbe0ad61d8615d56089f7\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.5_armel.udeb\r\n Size/MD5: 115630 55449ab904a6b52402a3cd88b763f384\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.5_armel.deb\r\n Size/MD5: 849068 ace9af9701bd1aa8078f8371bb5a1249\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5_armel.deb\r\n Size/MD5: 394182 198be7154104014118c0bee633ad3524\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.5_powerpc.udeb\r\n Size/MD5: 627050 1057f1e1b4c7fb2129064149fdc15e7e\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.5_powerpc.deb\r\n Size/MD5: 2147452 41e5eb249a3a2619d0add96808c9e6e4\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.5_powerpc.deb\r\n Size/MD5: 1718790 6161e426e833e984a2dbe5fbae29ceec\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.5_powerpc.udeb\r\n Size/MD5: 135530 26aba12ee4ba7caff0f2653c12318e92\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.5_powerpc.deb\r\n Size/MD5: 969544 822b91a90cf91650f12a3ce9200e9dc0\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5_powerpc.deb\r\n Size/MD5: 402878 79e80d92494b2f74241edcd18ba6f994\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.5_sparc.udeb\r\n Size/MD5: 597964 a4e6860a52c0681b36b1ca553bccd805\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.5_sparc.deb\r\n Size/MD5: 2065638 05c803f4fd599d46162db5de530236f5\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.5_sparc.deb\r\n Size/MD5: 4094390 8a1251f546bf8e449fe2952b25029f53\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.5_sparc.udeb\r\n Size/MD5: 125862 75b8bdc987cf37a65d73b31c74c664ee\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.5_sparc.deb\r\n Size/MD5: 2353876 6ef537e63f9551a927f52cc87befbc60\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.5_sparc.deb\r\n Size/MD5: 419348 b17aeb96b578e199d33b02c5eab2ae19\r\n\r\nUpdated packages for Ubuntu 10.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8o-1ubuntu4.3.debian.tar.gz\r\n Size/MD5: 92255 055df7f147cbad0066f88a0f2fa62cf5\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8o-1ubuntu4.3.dsc\r\n Size/MD5: 2118 8a81f824f312fb4033e1ab28a27ff99e\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8o.orig.tar.gz\r\n Size/MD5: 3772542 63ddc5116488985e820075e65fbe6aa4\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8o-1ubuntu4.3_all.deb\r\n Size/MD5: 645798 04eb700e0335d703bd6f610688bc3374\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8o-1ubuntu4.3_amd64.udeb\r\n Size/MD5: 620316 df1d96cf5dbe9ea0b5ab1ef6f09b9194\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8o-1ubuntu4.3_amd64.deb\r\n Size/MD5: 2159884 a8fc3df0bf6af3350fe8f304eb29d90d\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8o-1ubuntu4.3_amd64.deb\r\n Size/MD5: 1550444 f51ab29ef9e5e2636eb9b943d6e1d4b1\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8o-1ubuntu4.3_amd64.udeb\r\n Size/MD5: 137384 72d04c14a09c287978aec689872bde8c\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8o-1ubuntu4.3_amd64.deb\r\n Size/MD5: 923380 91e5f4df1c1e011ee449ff6424ecb832\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8o-1ubuntu4.3_amd64.deb\r\n Size/MD5: 406978 e9a055390d250ffc516518b53bb8bb36\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8o-1ubuntu4.3_i386.udeb\r\n Size/MD5: 570730 42ed7f9d05ca2b4d260cb3eb07832306\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8o-1ubuntu4.3_i386.deb\r\n Size/MD5: 2012542 2132edd3a3e0eecd04efd4645b8f583f\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8o-1ubuntu4.3_i386.deb\r\n Size/MD5: 1553718 a842382c89c5a0ad0a88f979b9ffbd7e\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8o-1ubuntu4.3_i386.udeb\r\n Size/MD5: 130462 4d2506b23b5abfa3be3e7fb8543c8d70\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8o-1ubuntu4.3_i386.deb\r\n Size/MD5: 866348 3c2ea45d798374c21b800dcf59d0a4c1\r\n http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8o-1ubuntu4.3_i386.deb\r\n Size/MD5: 400064 b1b5e14e431ae7c6c5fad917f6ce596f\r\n\r\n armel architecture (ARM Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8o-1ubuntu4.3_armel.udeb\r\n Size/MD5: 566054 5561d1894ad32ac689593ddd4b4a0609\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8o-1ubuntu4.3_armel.deb\r\n Size/MD5: 2012710 fd1d0612b6a89b26b0d32c72087538fd\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8o-1ubuntu4.3_armel.deb\r\n Size/MD5: 1542334 7609e92dc5d8d3030a65f4be81b862b2\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8o-1ubuntu4.3_armel.udeb\r\n Size/MD5: 120434 8d289d3446bdcdc8c297066608e72322\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8o-1ubuntu4.3_armel.deb\r\n Size/MD5: 851396 f5c3eb4c55ef9a9985a88bbaed3ec2ca\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8o-1ubuntu4.3_armel.deb\r\n Size/MD5: 406412 3bd3e64fd628b294b6ea47eb5f3c6a27\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8o-1ubuntu4.3_powerpc.udeb\r\n Size/MD5: 616138 19c9d86e43e2680921dd0a726a4dc955\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8o-1ubuntu4.3_powerpc.deb\r\n Size/MD5: 2154670 b22a1c4b9b05a87ab3b3ad494d5627f6\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8o-1ubuntu4.3_powerpc.deb\r\n Size/MD5: 1618586 3b2e33b46a007144b61c2469c7a2cbc7\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8o-1ubuntu4.3_powerpc.udeb\r\n Size/MD5: 136044 37e9e3fdc5d3dd5a9f931f33e523074e\r\n http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8o-1ubuntu4.3_powerpc.deb\r\n Size/MD5: 917582 674b2479c79c72b479f91433a34cb0fb\r\n http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8o-1ubuntu4.3_powerpc.deb\r\n Size/MD5: 402026 a9001ad881ad996d844b12bd7d427d76\r\n\r\n", "modified": "2010-12-09T00:00:00", "published": "2010-12-09T00:00:00", "id": "SECURITYVULNS:DOC:25258", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25258", "title": "[USN-1029-1] OpenSSL vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:39", "bulletinFamily": "software", "description": "Attacker can downgrade cipher level for subsequent connections.", "modified": "2010-12-09T00:00:00", "published": "2010-12-09T00:00:00", "id": "SECURITYVULNS:VULN:11284", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11284", "title": "OpenSSL protection level downgrade", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03819065\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03819065\r\nVersion: 1\r\n\r\nHPSBPV02891 rev.1 - HP ProCurve Switches, Remote Unauthorized Information\r\nDisclosure\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-07-15\r\nLast Updated: 2013-07-15\r\n\r\nPotential Security Impact: Remote unauthorized information disclosure\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP ProCurve\r\nSwitches. The vulnerability could be remotely exploited resulting in\r\nunauthorized information disclosure.\r\n\r\nReferences: CVE-2008-7270 (SSRT101113)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nPlease refer to the RESOLUTION\r\n section below for a list of impacted products.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2008-7270 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\nHP has made the following software updates available to resolve the\r\nvulnerability.\r\n\r\nHP Branded Products Impacted\r\n Fixed Version\r\n\r\nJ9565A HP 2615-8-PoE Switch\r\nJ9562A HP 2915-8G-PoE Switch\r\n A.14.20 or A.15.06\r\n\r\nJ4850A HP ProCurve Switch 5304xl\r\nJ8166A HP ProCurve Switch 5304xl-32G\r\nJ4819A HP ProCurve Switch 5308xl\r\nJ8167A HP ProCurve Switch 5308xl-48G\r\nJ4849A HP ProCurve Switch 5348xl\r\nJ4849B HP ProCurve Switch 5348xl\r\nJ4848A HP ProCurve Switch 5372xl\r\nJ4848B HP ProCurve Switch 5372xl\r\n\r\n E.11.34\r\n\r\nJ8762A HP E2600-8-PoE Switch\r\nJ4900A HP PROCURVE SWITCH 2626\r\nJ4900B HP ProCurve Switch 2626\r\nJ4900C ProCurve Switch 2626\r\nJ4899A HP ProCurve Switch 2650\r\nJ4899B HP ProCurve Switch 2650\r\nJ4899C ProCurve Switch 2650\r\nJ8164A ProCurve Switch 2626-PWR\r\nJ8165A HP ProCurve Switch 2650-PWR\r\n H.10.108\r\n\r\nJ4903A ProCurve Switch 2824\r\nJ4904A HP ProCurve Switch 2848\r\n i.10.98\r\n\r\nJ9299A HP 2520-24G-PoE Switch\r\nJ9298A HP 2520-8G-PoE Switch\r\n J.14.61 or J.15.06\r\n\r\nJ8772B HP 4202-72 Vl Switch\r\nJ8770A HP 4204 Vl Switch Chassis\r\nJ9064A HP 4204-44G-4SFP Vl Switch\r\nJ8773A HP 4208 Vl Switch Chassis\r\nJ9030A HP 4208-68G-4SFP Vl Switch\r\nJ8775B HP 4208-96 Vl Switch\r\nJ8771A ProCurve Switch 4202VL-48G\r\nJ8772A ProCurve Switch 4202VL-72\r\nJ8774A ProCurve Switch 4208VL-64G\r\nJ8775A ProCurve Switch 4208VL-96\r\n L.11.38\r\n\r\nJ4906A HP E3400-48G cl Switch\r\nJ4905A HP ProCurve Switch 3400cl-24G\r\n M.10.95\r\n\r\nJ9021A HP 2810-24G Switch\r\nJ9022A HP 2810-48G Switch\r\n N.11.56\r\n\r\nJ9019B HP 2510-24 Switch\r\nJ9019A ProCurve Switch 2510-24\r\n Q.11.55\r\n\r\nJ9085A HP 2610-24 Switch\r\nJ9087A HP 2610-24-PoE Switch\r\nJ9086A HP 2610-24-PPoE Switch\r\nJ9088A HP 2610-48 Switch\r\nJ9089A HP 2610-48-PoE Switch\r\n\r\n R.11.92\r\n\r\nJ9138A HP 2520-24-PoE Switch\r\nJ9137A HP 2520-8-PoE Switch\r\n S.14.36 or S.15.06\r\n\r\nJ9020A HP 2510-48 Switch\r\n U.11.43\r\n\r\nJ9279A HP 2510-24G Switch\r\nJ9280A HP 2510-48G Switch\r\n Y.11.38\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 15 July 2013 Initial Release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlHkUHIACgkQ4B86/C0qfVkFTgCfWqzaANLzNY0UjiQa8q0E4CEF\r\n5KoAnRTWmoLnkk/TJLatSQVva7Bu2KId\r\n=Azhn\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2013-07-16T00:00:00", "published": "2013-07-16T00:00:00", "id": "SECURITYVULNS:DOC:29608", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29608", "title": "[security bulletin] HPSBPV02891 rev.1 - HP ProCurve Switches, Remote Unauthorized Information Disclosure", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03263573\r\nVersion: 1\r\n\r\nHPSBMU02759 SSRT100817 rev.1 - HP Onboard Administrator (OA), Remote Unauthorized Access, Unauthorized Information Disclosure, Denial of Service (DoS), URL Redirection\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2012-04-02\r\nLast Updated: 2012-04-02\r\n\r\nPotential Security Impact: Remote unauthorized access, unauthorized information disclosure, Denial of Service (DoS), URL redirection\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP Onboard Administrator (OA). The vulnerabilities could be exploited remotely resulting in unauthorized access, unauthorized information disclosure, Denial of Service (DoS), and URL redirection.\r\n\r\nReferences: CVE-2012-0128 (URL redirection), CVE-2012-0129 (unauthorized access), CVE-2012-0130 (unauthorized information disclosure), CVE-2010-4180, CVE-2009-3555, CVE-2008-7270\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Onboard Administrator (OA) up to and including v3.32\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2012-0128 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8\r\nCVE-2012-0129 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6\r\nCVE-2012-0130 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\nCVE-2009-3555 (AV:N/AC:M/Au:N/C:N/I:P/A:P) 5.8\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made Onboard Administrator (OA) v3.50 or subsequent available to resolve the vulnerabilities.\r\n\r\nOnboard Administrator (OA) v3.50 is available here:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3188475&prodTypeId=329290&prodSeriesId=3188465&swLang=8&taskId=135&swEnvOID=1113\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 2 April 2012 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in the title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2012 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAk95svcACgkQ4B86/C0qfVnCTACg5gzR3SzcM2e3KQIFtrWXHMxW\r\nMKIAoKpq60Xl5yi8LOVE5OikAF7I7CkF\r\n=G/We\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2012-04-09T00:00:00", "published": "2012-04-09T00:00:00", "id": "SECURITYVULNS:DOC:27881", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27881", "title": "[security bulletin] HPSBMU02759 SSRT100817 rev.1 - HP Onboard Administrator (OA), Remote Unauthorized Access, Unauthorized Information Disclosure, Denial of Service (DoS), URL Redirection", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:28", "bulletinFamily": "unix", "description": "It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. This could possibly allow an attacker to downgrade the ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180)\n\nIt was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. An attacker could possibly take advantage of this to force the use of a disabled cipher. This vulnerability only affects the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2008-7270)", "modified": "2010-12-08T00:00:00", "published": "2010-12-08T00:00:00", "id": "USN-1029-1", "href": "https://usn.ubuntu.com/1029-1/", "title": "OpenSSL vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T00:09:24", "bulletinFamily": "unix", "description": "It was discovered that OpenSSL incorrectly handled return codes from the bn_wexpand function calls. A remote attacker could trigger this flaw in services that used SSL to cause a denial of service or possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2009-3245)\n\nIt was discovered that OpenSSL incorrectly handled certain private keys with an invalid prime. A remote attacker could trigger this flaw in services that used SSL to cause a denial of service or possibly execute arbitrary code with application privileges. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2010-2939)", "modified": "2010-10-07T00:00:00", "published": "2010-10-07T00:00:00", "id": "USN-1003-1", "href": "https://usn.ubuntu.com/1003-1/", "title": "OpenSSL vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:30:36", "bulletinFamily": "unix", "description": "The openSSL library was updated to add support for the new RFC5746 TLS renegotiation feature to address vulnerabilities tracked as CVE-2009-3555, backported from openssl 0.9.8m.\n#### Solution\nThere is no known workaround, please install the update packages.", "modified": "2010-04-06T16:55:06", "published": "2010-04-06T16:55:06", "id": "SUSE-SA:2010:020", "href": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00000.html", "type": "suse", "title": "remote denial of service, man in the middle in openssl", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:14:29", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-2141-1 security@debian.org\nhttp://www.debian.org/security/ Stefan Fritsch\nJanuary 06, 2011 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : openssl\nVulnerability : SSL/TLS insecure renegotiation protocol design flaw\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2009-3555 CVE-2010-4180\nDebian Bug : 555829\n\nCVE-2009-3555:\n\nMarsh Ray, Steve Dispensa, and Martin Rex discovered a flaw in the TLS\nand SSLv3 protocols. If an attacker could perform a man in the middle\nattack at the start of a TLS connection, the attacker could inject\narbitrary content at the beginning of the user's session. This update\nadds backported support for the new RFC5746 renegotiation extension\nwhich fixes this issue.\n\nIf openssl is used in a server application, it will by default no\nlonger accept renegotiation from clients that do not support the\nRFC5746 secure renegotiation extension. A separate advisory will add\nRFC5746 support for nss, the security library used by the iceweasel\nweb browser. For apache2, there will be an update which allows to\nre-enable insecure renegotiation.\n\nThis version of openssl is not compatible with older versions of tor.\nYou have to use at least tor version 0.2.1.26-1~lenny+1, which has\nbeen included in the point release 5.0.7 of Debian stable.\n\nCurrently we are not aware of other software with similar compatibility\nproblems.\n\n\nCVE-2010-4180:\n \nIn addition, this update fixes a flaw that allowed a client to bypass\nrestrictions configured in the server for the used cipher suite.\n\n\nFor the stable distribution (lenny), this problem has been fixed\nin version 0.9.8g-15+lenny11.\n\nFor the unstable distribution (sid), and the testing distribution\n(squeeze), this problem has been fixed in version 0.9.8o-4.\n\nWe recommend that you upgrade your openssl package.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2011-01-05T23:18:20", "published": "2011-01-05T23:18:20", "id": "DEBIAN:DSA-2141-1:4DDA2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00001.html", "title": "[SECURITY] [DSA-2141-1] New openssl packages fix protocol design flaw", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2018-08-31T00:36:51", "bulletinFamily": "unix", "description": "New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,\n13.1, and -current to fix security issues.\n\n\nHere are the details from the Slackware 13.1 ChangeLog:\n\npatches/packages/openssl-0.9.8q-i486-1_slack13.1.txz: Upgraded.\n This OpenSSL update contains some security related bugfixes.\n For more information, see the included CHANGES and NEWS files, and:\n http://www.openssl.org/news/secadv_20101202.txt\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252\n (* Security fix *)\npatches/packages/openssl-solibs-0.9.8q-i486-1_slack13.1.txz: Upgraded.\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/openssl-0.9.8q-i486-1_slack11.0.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/openssl-solibs-0.9.8q-i486-1_slack11.0.tgz\n\nUpdated packages for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/openssl-0.9.8q-i486-1_slack12.0.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/openssl-solibs-0.9.8q-i486-1_slack12.0.tgz\n\nUpdated packages for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-0.9.8q-i486-1_slack12.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-solibs-0.9.8q-i486-1_slack12.1.tgz\n\nUpdated packages for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8q-i486-1_slack12.2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8q-i486-1_slack12.2.tgz\n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8q-i486-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8q-i486-1_slack13.0.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8q-x86_64-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8q-x86_64-1_slack13.0.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8q-i486-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8q-i486-1_slack13.1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8q-x86_64-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8q-x86_64-1_slack13.1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-0.9.8q-i486-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-0.9.8q-i486-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-0.9.8q-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-0.9.8q-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 11.0 packages:\n1672535dfc6ef7888dbfdd77e73c338e openssl-0.9.8q-i486-1_slack11.0.tgz\n5f847bbea8047f6bb673bae6a5f1458e openssl-solibs-0.9.8q-i486-1_slack11.0.tgz\n\nSlackware 12.0 packages:\n1842d92468775cd222be3ba896f7bbb6 openssl-0.9.8q-i486-1_slack12.0.tgz\n909856e3e3f985ebcdb1c3113f1afb75 openssl-solibs-0.9.8q-i486-1_slack12.0.tgz\n\nSlackware 12.1 packages:\nf77a3e257c05662dcbea51a7dd574919 openssl-0.9.8q-i486-1_slack12.1.tgz\n4267b7a41580b57d32918e446f6eff64 openssl-solibs-0.9.8q-i486-1_slack12.1.tgz\n\nSlackware 12.2 packages:\nbdf0531d81e184b20fa0554d24d4f37e openssl-0.9.8q-i486-1_slack12.2.tgz\n516bbf34fec6120def7c07478a371168 openssl-solibs-0.9.8q-i486-1_slack12.2.tgz\n\nSlackware 13.0 packages:\nbc271d68578b3b3f7e1487061cfdd881 openssl-0.9.8q-i486-1_slack13.0.txz\ndb28fbd8974e4d6087468f799cae66ce openssl-solibs-0.9.8q-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 packages:\n4a63e4468ba9c18243a6f76430bdb980 openssl-0.9.8q-x86_64-1_slack13.0.txz\nd36fe2db9cb7da1915533c2f268ab6a0 openssl-solibs-0.9.8q-x86_64-1_slack13.0.txz\n\nSlackware 13.1 packages:\na72fd414347686d157ee702157dcd2f5 openssl-0.9.8q-i486-1_slack13.1.txz\nd750ff0918d4ed649b4b3e573af9288d openssl-solibs-0.9.8q-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 packages:\nd9ff0a381f8a20f6c510f1e0b24248a8 openssl-0.9.8q-x86_64-1_slack13.1.txz\nd6384ffc0957e65cf20de0c5d264f89d openssl-solibs-0.9.8q-x86_64-1_slack13.1.txz\n\nSlackware -current packages:\n480b90202772f5ae31f1c00330d3c4f4 a/openssl-solibs-0.9.8q-i486-1.txz\n51d84a2d5795ae894af250b445f4b404 n/openssl-0.9.8q-i486-1.txz\n\nSlackware x86_64 -current packages:\n3ebf8f0c67dd8b5c177b8beeeec5a685 a/openssl-solibs-0.9.8q-x86_64-1.txz\n54efe1b7da90c6b3e3832c68af0325be n/openssl-0.9.8q-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg openssl-0.9.8q-i486-1_slack13.1.txz openssl-solibs-0.9.8q-i486-1_slack13.1.txz", "modified": "2010-12-06T23:14:58", "published": "2010-12-06T23:14:58", "id": "SSA-2010-340-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471", "title": "openssl", "type": "slackware", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}