OpenSSL mystery patches due for release Thursday

ronjor · Mar 17, 2015

No details are available yet, but one flaw is of 'high' severity

Jeremy Kirk (IDG News Service) on 17 March, 2015 13:55
Click to expand...

http://www.cso.com.au/article/570547/openssl-mystery-patches-due-release-thursday/

Palancar · Mar 17, 2015

Thanks for the heads up.

Dragon1952 · Mar 18, 2015

OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL projectsaid it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.......http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security-holes/

lotuseclat79 · Mar 19, 2015

OpenSSL Security Advisory [19 Mar 2015].

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
=====================================================

Severity: High

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================

Severity: High

This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".

This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.

-- Tom
Click to expand...

lotuseclat79 · Mar 19, 2015

OpenSSL Patch to Plug Severe Security Holes.

The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.
Click to expand...

-- Tom

lotuseclat79 · Mar 19, 2015

You need to apply the OpenSSL patches today, not tomorrow

Summary:There's a new set of OpenSSL patches out and they fix some nasty security holes.
Click to expand...

Related: OpenSSL patches "high" severity flaws in latest release

Summary:The update fixes a security vulnerability with the highest severity rating, which could allow a hacker to launch a denial-of-service attack against a server.
Click to expand...

-- Tom

Log in or Sign up

OpenSSL mystery patches due for release Thursday

ronjor Global Moderator

Palancar Registered Member

Dragon1952 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

Log in or Sign up

OpenSSL mystery patches due for release Thursday

ronjor Global Moderator

Palancar Registered Member

Dragon1952 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

Useful Searches