Quoting upstream advisory: This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a Bleichenbacher oracle, and could potentially allow more efficient variants of the DROWN attack. This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released March 19th 2015). This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J. Alex Halderman of the University of Michigan. The underlying defect had by then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d (1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
CVE-2015-0293 is tracked via bug 1202404. For upstream commit correcting this issue, see bug 1202404 comment 5.
Acknowledgments: Name: the OpenSSL project Upstream: David Adrian (University of Michigan), J. Alex Halderman (University of Michigan)
External References: https://www.openssl.org/news/secadv/20160301.txt
This issue has been addressed in the following products: Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html
By any chance these fixes will be available for centos distribution (6). Any ETA for same. Thanks
The situation is exactly the same as in case of CVE-2016-0703 - please read the description.