OpenSSL Patches 8 Vulnerabilities

Friday, January 9, 2015 @ 01:01 PM gHale


The OpenSSL Project released updates for the open-source library that implements the SSL and TLS protocols.

The new releases — 1.0.1k, 1.0.0p and 0.98zd — fix 8 vulnerabilities in all, two of which classify as moderate, and can lead to Denial of Service (DoS) attacks.

RELATED STORIES
OpenSSL Fixes POODLE
Siemens Heartbleed Update, Again
Vulnerabilities up 40% over 3 Months
Spotlight on Internal Vulnerability

The first one, discovered by Cisco Systems researcher Markus Stenberg late last year, can end up exploited by an attacker by crafting a special DTLS message that can cause a segmentation fault in OpenSSL due to a NULL pointer dereference.

The second one discovered by researcher Chris Mueller, who also provided an initial patch, is a memory leak vulnerability that can end up misused to trigger memory exhaustion and, consequently, DoS.

Among the low-graded vulnerabilities are ones that can lead to removal of forward secrecy from the ciphersuite, and one that allows server authentication without the use of a private key. Most of these low-level vulnerabilities are difficult to exploit.

Officials said updating your OpenSSL library is advisable.

Click on the security advisory for more details about the vulnerabilities.



Leave a Reply

You must be logged in to post a comment.