Synopsis: Moderate: openssl security update
Advisory ID: SLSA-2014:1653-1
Issue Date: 2014-10-16
CVE Numbers: CVE-2014-3566
This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails.
This can prevent a forceful downgrade of the communication to SSL 3.0. The
SSL 3.0 protocol was found to be vulnerable to the padding oracle attack
when using block cipher suites in cipher block chaining (CBC) mode. This
issue is identified as CVE-2014-3566, and also known under the alias
POODLE. This SSL 3.0 protocol flaw will not be addressed in a future
update; it is recommended that users configure their applications to
require at least TLS protocol version 1.0 for secure communication.
For additional information about this flaw, see Upstream’s Knowledgebase article
For the update to take effect, all services linked to the OpenSSL library
(such as httpd and other SSL-enabled services) must be
restarted or the system rebooted.
– Scientific Linux Development Team