Multiple new OpenSSL vulnerabilities

New vulnerabilities in OpenSSL have been fixed, new versions:
OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

https://www.openssl.org/news/secadv_20140605.txt

 

Analysis by Adam Langley:
https://www.imperialviolet.org/2014/06/05/earlyccs.html

 

OpenVPN has released new installers which include OpenSSL 1.0.1h:
http://openvpn.net/index.php/download/community-downloads.html

 

The installer was released May 2, and newest Openssl was released June 5...?

Also I just noticed, openssl.exe never shows its version in the Properties tab. It is always blank.

 

Where did you find the May 2 date? The timestamp of the digital signature on installer is June 5.

Openssl.exe? Do you mean the installer?(That version info is blank here as well, a bit sloppy from the developers IMO.) The OpenSSL file included in the installer is ssleay.dll (In Program Files\OpenVPN\bin), that file does have version info.

 

I couldn't find the June reference from the site you linked, but I didn't look at the timestamp of the dig. cert. You are correct. Thanks.

Yes, I was referring to openssl.exe in the bin folder not the ssleay.dll.

 

I have upgraded OpenVPN and got the newest openssl libraries. However, my stunnel installation has the old version of openssl and there is no updated stunnel available yet for downloading.
Can I just copy the updated openssl libraries from my OpenVPN folder to Stunnel folder? If so, which files are crucial?

 

Even 1.0.2-beta1 is vulnerable with CCS Injection - http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html

 

Ah, I see a openssl.exe in the bin folder as well, it doesn't have version info here either.

I think it should work, but I'm not sure if it works, so you should keep a copy of the older openssl libraries from the Stunnel folder just in case. I don't have experience with Stunnel, but with other applications that use OpenSSL I've seen ssleay.ddl and libeay.ddl, so at least those 2. I would check for other files with the same name in the Stunnel folder to find more.

 

OpenSSL for Windows available at http://slproweb.com/products/Win32OpenSSL.html

 

I will check it out. Thanks.

Edit : No it didn't work. I copied those two dll's and also openssl.exe to the stunnel folder but the service failed to start. Seems there are other dependencies that the migration didn't solve. Well, will wait for the newest stunnel package.

 

Since OpenVPN and Stunnel install openssl separately in their respective program folders, I wonder how it works though, does the Openssl for Windows start as a service that software on the computer (e.g. openvpn, stunnel) can use?

 

I believe that the packages supply the binaries only.

 

Thanks for info noone_.

 

Avast 2014 R4 beta(9.0.2019) is updated to OpenSSL 1.0.1h.

 

Fixed in Kaspersky 2014 patch H (currently still in testing.)

 

Fixed in VMware Workstation 10.0.3, Player 6.0.3 and others:
http://www.vmware.com/security/advisories/VMSA-2014-0006.html