HackDig : Dig high-quality web security articles for hacker

OpenSSL release patches 8 vulnerabilities

2015-01-09 19:30
The OpenSSL Project has released updates for the popular homonymous open-source library that implements the SSL and TLS protocols.

The new releases - 1.0.1k, 1.0.0p and 0.98zd - fix 8 vulnerabilities in all, two of which have been classified as moderate, and can lead to Denial Of Service attacks.

The first one has been spotted by Cisco Systems researcher Markus Stenberg late last year, and can be exploited by an attacker by crafting a special DTLS message that can cause a segmentation fault in OpenSSL due to a NULL pointer dereference.

The second one was discovered on Wednesday by researcher Chris Mueller, who also provided an initial patch. It's a memory leak vulnerability that can be misused to trigger memory exhaustion and, consequently, denial of service.

Among the low-graded vulnerabilities are one that can lead to removal of forward secrecy from the ciphersuite, and one that allows server authentication without the use of a private key. Most of these low-level vulns are difficult to exploit.

Updating you OpenSSL library is advised, but there is no particular rush.

Check out the security advisory for more details about the vulnerabilities.

As a side note: support for OpenSSL versions 1.0.0 and 0.9.8 is scheduled to stop on December 31, 2015. It's never too early to consider upgrading to the latest version (1.0.1).

Source: php.dlrowces/AKF5dTVgbRj/3~/ytiruceSteNpleH/r~/moc.elgoog.yxorpdeef

Read:2281 | Comments:0 | Tags:No Tag

“OpenSSL release patches 8 vulnerabilities”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud