Red Hat Bugzilla – Bug 1152967
CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
Last modified: 2016-09-29 23:54:00 EDT
OpenSSL upstream reported the following security flaw: When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014. The fix was developed by Akamai and the OpenSSL team. External Reference: https://www.openssl.org/news/secadv_20141015.txt
Statement: Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not build with the "no-ssl3" option and therefore are not vulnerable to this security flaw.
Upstream patch: OpenSSL-1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=26a59d9b46574e457870197dffa802871b4c8fc7 OpenSSL-0.9.8: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=cd332a07503bd9771595de87e768179f81715704
Fixed upstream in OpenSSL versions 0.9.8zc, 1.0.0o and 1.0.1j: https://www.openssl.org/news/secadv_20141015.txt