The following Fedora EPEL 5 Security updates need testing:
Age URL
836
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-3849
sblim-sfcb-1.3.8-2.el5
479
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-edbea40516
mcollective-2.8.4-1.el5
450
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-582c8075e6
thttpd-2.25b-24.el5
61
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce45574ab6
libbsd-0.8.3-2.el5
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-90b2cbfdaf
openssl101e-1.0.1e-10.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
openssl101e-1.0.1e-10.el5
Details about builds:
================================================================================
openssl101e-1.0.1e-10.el5 (FEDORA-EPEL-2017-90b2cbfdaf)
A general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:
OpenSSL ======= Security Fixes -------------- * An integer underflow leading
to an out of bounds read flaw was found in OpenSSL. A remote attacker could
possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL
if it used the RC4-MD5 cipher suite. (CVE-2017-3731) * A denial of service
flaw was found in the way the TLS/SSL protocol defined processing of ALERT
packets during a connection handshake. A remote attacker could use this flaw to
make a TLS/SSL server consume an excessive amount of CPU and fail to accept
connections form other clients. (CVE-2016-8610) * The signing function in
crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to
timing attacks when signing with the standardized elliptic curve P-256 despite
featuring constant-time curve operations and modular inversion. A software
defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a
secure code path in the BN_mod_inverse method and therefore resulting in a
cache-timing attack vulnerability. A malicious user with local access can
recover ECDSA P-256 private keys. (CVE-2016-7056)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could
cause remote DoS
https://bugzilla.redhat.com/show_bug.cgi?id=1384743
[ 2 ] Bug #1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
https://bugzilla.redhat.com/show_bug.cgi?id=1416852
[ 3 ] Bug #1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery
https://bugzilla.redhat.com/show_bug.cgi?id=1412120
--------------------------------------------------------------------------------