Number: IRCNE2014062210
Date: 2014-06-07
According to “zdnet”, the OpenSSL project has reported fixes for several vulnerabilities, at least one of them serious.The most significant vulnerability is SSL/TLS MITM vulnerability (CVE-2014-0224).
All client versions of OpenSSL are vulnerable. OpenSSL servers are only known to be vulnerable in versions 1.0.1 and 1.0.2-beta1.
OpenSSL provides this advice:
- OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
- OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
- OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h
- Google has released a new version of Chrome for Android, incrementing the OpenSSL version used in it to 1.0.1h.
The same updates fix several less-serious issues:
- DTLS invalid fragment vulnerability (CVE-2014-0195) — A buffer overrun, potentially exploitable to run arbitrary code on the system.
- DTLS recursion flaw (CVE-2014-0221) — Denial of service
- SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) — Denial of service
- SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) — Cross-section data injection or denial of service
- Anonymous ECDH denial of service (CVE-2014-3470) — Denial of service
- 3