‫ OpenSSL fixes another severe vulnerability

Number: IRCNE2014062210
Date: 2014-06-07

According to “zdnet”, the OpenSSL project has reported fixes for several vulnerabilities, at least one of them serious.The most significant vulnerability is SSL/TLS MITM vulnerability (CVE-2014-0224).

All client versions of OpenSSL are vulnerable. OpenSSL servers are only known to be vulnerable in versions 1.0.1 and 1.0.2-beta1.

OpenSSL provides this advice:

  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h

Google has released a new version of Chrome for Android, incrementing the OpenSSL version used in it to 1.0.1h.

The same updates fix several less-serious issues:

  • DTLS invalid fragment vulnerability (CVE-2014-0195) — A buffer overrun, potentially exploitable to run arbitrary code on the system.
  • DTLS recursion flaw (CVE-2014-0221) — Denial of service
  • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) — Denial of service
  • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) — Cross-section data injection or denial of service
  • Anonymous ECDH denial of service (CVE-2014-3470) — Denial of service
Related Links:


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 17 خرداد 1393



امتیاز شما
تعداد امتیازها:0