ID: IRCNE2012011364
Date: 2012-01-07
According to “ZDNet”, OpenSSL has released an alert to warn of at least six security vulnerabilities affecting users of the open source implementation of the SSL and TLS protocols. The vulnerabilities have been fixed in OpenSSL versions 1.0.0f and 0.9.8s.
The most serious flaw is a DTLS plaintext recovery attack that is publicly known.
The latest OpenSSL updates also fixes a policy check failure that leads to a double-free bug and a separate issue where OpenSSL prior to 1.0.0f and 0.9.8s fails to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes.
As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory.
- 2