Latest OpenSSL Flaw Fixed

Monday, March 23, 2015 @ 04:03 PM gHale


The OpenSSL cryptographic library update is now available.

The seriousness of the flaw is not to the level of FREAK or POODLE as the only high-severity vulnerability patched is a denial-of-service (DoS) condition affecting version 1.0.2.

RELATED STORIES
Android, iOS Apps Vulnerable to FREAK
OpenSSL Patching Vulnerabilities
Apple Gets the FREAK Out
Patch Tuesday Features FREAK Focus

The update shows the library has wide integration in various software and hardware products and is responsible for a huge part of the secure communication over the web.

Identified as CVE-2015-0291, the vulnerability released February 26 from David Ramos of Stanford University. Stephen Henson and Matt Caswell of the OpenSSL development team developed the fix.

“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can end up exploited in a DoS attack against the server,” the vulnerability advisory said.

Most of the rest of the fixes included in the current OpenSSL release received the “moderate-severity” label and refer to issues like segmentation faults, null pointer errors and a problem with processing Base64 encoded data.

OpenSSL versions affected by the bugs disclosed in the security advisory on Thursday vary from 0.9.8 and 1.0.0 to 1.0.1 and 1.0.2. Users should switch to the updated versions 0.9.8zf, 1.0.0r, 1.0.1m and 1.0.2a.



Leave a Reply

You must be logged in to post a comment.