OpenSSL updated on Redhat 5/6

[Floren]

A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages.

This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail.

Update your systems ASAP, via yum update. Redhat ERRATA

 

[MattW]

Mine looks to have taken care of itself overnight in CentOS 5

Mar 29 02:06:34 Updated: openssl-0.9.8e-22.el5_8.1.i686
Mar 29 02:06:38 Updated: openssl-devel-0.9.8e-22.el5_8.1.i386

 

[Floren]

Is that a production box? You should not have any development RPM's in production.

 

[MattW]

Yes it is, and just looking at the yum logs has been there since at least 2009

sudo grep -i ssl-devel yum*
yum.log:Jan 25 21:06:42 Updated: openssl-devel-0.9.8e-20.el5_7.1.i386
yum.log:Feb 07 21:06:26 Updated: openssl-devel-0.9.8e-20.el5_7.1.0.1.centos.i386
yum.log:Mar 12 22:14:28 Updated: openssl-devel-0.9.8e-22.el5.i386
yum.log:Mar 29 02:06:38 Updated: openssl-devel-0.9.8e-22.el5_8.1.i386
yum.log.2:Sep 14 21:08:46 Updated: openssl-devel-0.9.8e-20.el5.i386
yum.log.3:Jan 21 21:07:04 Updated: openssl-devel-0.9.8e-12.el5_4.1.i386
yum.log.3:Mar 28 21:06:32 Updated: openssl-devel-0.9.8e-12.el5_4.6.i386
yum.log.3:Dec 14 21:06:35 Updated: openssl-devel-0.9.8e-12.el5_5.7.i386
yum.log.4:Sep 16 00:35:22 Updated: openssl-devel-0.9.8e-12.el5.i386

ls -al yum*
-rw------- 1 root root 10262 Mar 29 02:06 yum.log
-rw------- 1 root root   173 Dec 28 21:06 yum.log.1
-rw------- 1 root root 19382 Dec 12 21:06 yum.log.2
-rw------- 1 root root 26038 Dec 27  2010 yum.log.3
-rw------- 1 root root 14308 Dec 19  2009 yum.log.4