Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Sign in to follow this  
Dimitris

OpenSSL releases patch for high security vulnerability

Recommended Posts

mm9yz5.png

 

As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software.

The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites.

The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL.

 

The severity of the flaw is rated "High" and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack.

The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash.

"Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected," the team explains.

The vulnerability also only affects OpenSSL 1.1.0.

The OpenSSL 1.1.0c update also fixes a low severity flaw (CVE-2016-7055), which is related to the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than, 256 bits.

 

The issue was initially not considered as a security problem, but experts have demonstrated that the vulnerability can be exploited by attackers in very specific circumstances.

This vulnerability affects OpenSSL version 1.0.2, but due to a low severity of the flaw, the team did not issue an update at this time. The fix will be included in the next 1.0.2 release. So, users are recommended to wait for it.

All the users are strongly recommended to upgrade their software to OpenSSL version 1.1.0c.

Like in its previous announcements, the OpenSSL Project has reminded its users that the project will no longer support OpenSSL version 1.0.1 after December 31, 2016 and will receive no security updates after this deadline.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×