Página 1 de 2 12 ÚltimoÚltimo
Resultados 1 a 10 de 11
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Exclamation New OpenSSL “high severity” issue(s) to be disclosed on March 19th

    Prime your calendars.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Jul 2011
    Posts
    1,038
    Se for algo ligado a isto aqui publicado hoje, só desligar o RC4:
    http://www.isg.rhul.ac.uk/tls/RC4passwords.pdf

    Mas mesmo que não seja, desligar o RC4 é uma boa de todo modo...

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049
    The Register ‏@TheRegister 6 minutes ago That's all we know about Thursday's OpenSSL update. Stay frosty.




    List: openssl-announce
    Subject: [openssl-announce] Forthcoming OpenSSL releases
    From: Matt Caswell <matt () openssl ! org>
    Date: 2015-03-16 19:05:31
    Message-ID: 5507297B.8040505 () openssl ! org
    [Download message RAW]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1


    Forthcoming OpenSSL releases
    ============================

    The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

    These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity.

    Yours

    The OpenSSL Project Team
    Última edição por 5ms; 16-03-2015 às 21:25.

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049
    Citação Postado originalmente por rubensk Ver Post
    Mas mesmo que não seja, desligar o RC4 é uma boa de todo modo...
    Valeu!

    Lembra aquela situação de você saber que o programa tem um erro e no processo de encontrá-lo você acha outro erro.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Smile Façam suas apostas

    Tony Arcieri ‏@bascule 1 hour ago Friendly bet: Thursday's OpenSSL vulnerability will involve remote code execution in an ASN.1 parser, ala: https://www.nerdbox.it/wpnb_news/rce-polarssl/

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049
    "I have received a number of queries regarding the timing of Thursday's release. To clarify, we are aiming to have the release available sometime between 1100-1500 GMT."

    https://marc.info/?l=openssl-announc...7932619582&w=2

  7. #7
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Issues in patches for issues

    Mark J Cox ‏@iamamoose 12 minutes ago
    Just to let you know latest #OpenSSL news: a possible issue in one of the patches for today was reported to us and it's being investigated.



    tux0r ‏@tux0r 8 minutes ago
    @iamamoose
    "Product security guys" reporting issues in patches for issues. Made my day. #LibreSSL+



    Mark J Cox ‏@iamamoose 3 minutes ago
    @tux0r
    this is one reason #Openssl share with some in advance to get peer review on security fixes and save having to fix things twice
    Última edição por 5ms; 19-03-2015 às 12:38.

  8. #8
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    A total of 12 vulnerabilities were patched in this release





    OpenSSL Security Advisory [19 Mar 2015]





    OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
    ====================================

    Severity: High

    If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.

    This issue affects OpenSSL version: 1.0.2

    OpenSSL 1.0.2 users should upgrade to 1.0.2a.

    This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.




    Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
    ===================================

    Severity: High

    This security issue was previously announced by the OpenSSL project and classified as "low" severity. This severity rating has now been changed to "high".

    This was classified low because it was originally thought that server RSA export ciphersuite support was rare: a client was only vulnerable to a MITM attack against a server which supports an RSA export ciphersuite. Recent studies have shown that RSA export ciphersuites support is far more common.

    This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

    OpenSSL 1.0.1 users should upgrade to 1.0.1k.
    OpenSSL 1.0.0 users should upgrade to 1.0.0p.
    OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

    This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. It was previously announced in the OpenSSL security advisory on 8th January 2015.



    Lista completa: https://www.openssl.org/news/secadv_20150319.txt
    Última edição por 5ms; 19-03-2015 às 14:38.

  9. #9
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Debian

    CVE-2015-0204

    squeeze (security), squeeze
    0.9.8o-4squeeze14
    vulnerable

    squeeze (lts)
    0.9.8o-4squeeze19
    fixed

    wheezy
    1.0.1e-2+deb7u13
    vulnerable

    wheezy (security)
    1.0.1e-2+deb7u15
    fixed

    jessie, sid
    1.0.1k-1
    fixed


    Debian Security Advisory DSA-3197-1 security () debian org
    http://www.debian.org/security/ Moritz Muehlenhoff
    March 19, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openssl
    CVE ID : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292

    Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

    CVE-2015-0286

    Stephen Henson discovered that the ASN1_TYPE_cmp() function can be crashed, resulting in denial of service.

    CVE-2015-0287

    Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

    CVE-2015-0289

    Michal Zalewski discovered a NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service.

    CVE-2015-0292

    It was discovered that missing input sanitising in base64 decoding might result in memory corruption.

    CVE-2015-0209

    It was discovered that a malformed EC private key might result in memory corruption.

    CVE-2015-0288

    It was discovered that missing input sanitising in the X509_to_X509_REQ() function might result in denial of service.

    For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u15. In this update the export ciphers are removed from the default cipher list.

    We recommend that you upgrade your openssl packages.
    Última edição por 5ms; 19-03-2015 às 15:13.

  10. #10
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    Posts
    1,611
    Vi isso aqui hoje:

    http://gizmodo.uol.com.br/freak-apps/

    A falha FREAK ainda afeta centenas dos apps mais populares no iOS e Android
    oGigante.com*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis
    VWhost.com.br • Revenda de Hospedagem Linux Cpanel + CloudFlare
    Zocka.com.br • Hospedagem de Sites Cpanel + Construtor de Sites

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •