Multiple new OpenSSL vulnerabilities

Discussion in 'privacy technology' started by BoerenkoolMetWorst, Jun 5, 2014.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    New vulnerabilities in OpenSSL have been fixed, new versions:
    OpenSSL 0.9.8 users should upgrade to 0.9.8za
    OpenSSL 1.0.0 users should upgrade to 1.0.0m.
    OpenSSL 1.0.1 users should upgrade to 1.0.1h.

    https://www.openssl.org/news/secadv_20140605.txt
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
  4. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    The installer was released May 2, and newest Openssl was released June 5...?

    Also I just noticed, openssl.exe never shows its version in the Properties tab. It is always blank.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Where did you find the May 2 date? The timestamp of the digital signature on installer is June 5.

    Openssl.exe? Do you mean the installer?(That version info is blank here as well, a bit sloppy from the developers IMO.) The OpenSSL file included in the installer is ssleay.dll (In Program Files\OpenVPN\bin), that file does have version info.
     
  6. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I couldn't find the June reference from the site you linked, but I didn't look at the timestamp of the dig. cert. You are correct. Thanks.

    Yes, I was referring to openssl.exe in the bin folder not the ssleay.dll.
     
  7. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I have upgraded OpenVPN and got the newest openssl libraries. However, my stunnel installation has the old version of openssl and there is no updated stunnel available yet for downloading.
    Can I just copy the updated openssl libraries from my OpenVPN folder to Stunnel folder? If so, which files are crucial?
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Ah, I see a openssl.exe in the bin folder as well, it doesn't have version info here either.
    I think it should work, but I'm not sure if it works, so you should keep a copy of the older openssl libraries from the Stunnel folder just in case. I don't have experience with Stunnel, but with other applications that use OpenSSL I've seen ssleay.ddl and libeay.ddl, so at least those 2. I would check for other files with the same name in the Stunnel folder to find more.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  11. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I will check it out. Thanks.

    Edit : No it didn't work. I copied those two dll's and also openssl.exe to the stunnel folder but the service failed to start. Seems there are other dependencies that the migration didn't solve. Well, will wait for the newest stunnel package. :)
     
    Last edited: Jun 7, 2014
  12. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Since OpenVPN and Stunnel install openssl separately in their respective program folders, I wonder how it works though, does the Openssl for Windows start as a service that software on the computer (e.g. openvpn, stunnel) can use?
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I believe that the packages supply the binaries only.
     
  14. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Thanks for info noone_.
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Avast 2014 R4 beta(9.0.2019) is updated to OpenSSL 1.0.1h.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Fixed in Kaspersky 2014 patch H (currently still in testing.)
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
Loading...
Thread Status:
Not open for further replies.