16-03-2015, 19:42 #1
New OpenSSL “high severity” issue(s) to be disclosed on March 19th
Prime your calendars.
16-03-2015, 20:07 #2
16-03-2015, 20:20 #3
The Register @TheRegister 6 minutes ago That's all we know about Thursday's OpenSSL update. Stay frosty.
Subject: [openssl-announce] Forthcoming OpenSSL releases
From: Matt Caswell <matt () openssl ! org>
Date: 2015-03-16 19:05:31
Message-ID: 5507297B.8040505 () openssl ! org
[Download message RAW]
-----BEGIN PGP SIGNED MESSAGE-----
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity.
The OpenSSL Project Team
Última edição por 5ms; 16-03-2015 às 20:25.
16-03-2015, 20:30 #4
16-03-2015, 20:37 #5
19-03-2015, 11:03 #6
"I have received a number of queries regarding the timing of Thursday's release. To clarify, we are aiming to have the release available sometime between 1100-1500 GMT."
19-03-2015, 11:30 #7
Issues in patches for issues
Mark J Cox @iamamoose 12 minutes ago
Just to let you know latest #OpenSSL news: a possible issue in one of the patches for today was reported to us and it's being investigated.
tux0r @tux0r 8 minutes ago
@iamamoose "Product security guys" reporting issues in patches for issues. Made my day. #LibreSSL+
Mark J Cox @iamamoose 3 minutes ago
@tux0r this is one reason #Openssl share with some in advance to get peer review on security fixes and save having to fix things twice
Última edição por 5ms; 19-03-2015 às 11:38.
19-03-2015, 13:26 #8
A total of 12 vulnerabilities were patched in this release
OpenSSL Security Advisory [19 Mar 2015]
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.
This issue affects OpenSSL version: 1.0.2
OpenSSL 1.0.2 users should upgrade to 1.0.2a.
This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
This security issue was previously announced by the OpenSSL project and classified as "low" severity. This severity rating has now been changed to "high".
This was classified low because it was originally thought that server RSA export ciphersuite support was rare: a client was only vulnerable to a MITM attack against a server which supports an RSA export ciphersuite. Recent studies have shown that RSA export ciphersuites support is far more common.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. It was previously announced in the OpenSSL security advisory on 8th January 2015.
Lista completa: https://www.openssl.org/news/secadv_20150319.txt
Última edição por 5ms; 19-03-2015 às 13:38.
19-03-2015, 14:00 #9
squeeze (security), squeeze
Debian Security Advisory DSA-3197-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
March 19, 2015 http://www.debian.org/security/faq
Package : openssl
CVE ID : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:
Stephen Henson discovered that the ASN1_TYPE_cmp() function can be crashed, resulting in denial of service.
Emilia Kaesper discovered a memory corruption in ASN.1 parsing.
Michal Zalewski discovered a NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service.
It was discovered that missing input sanitising in base64 decoding might result in memory corruption.
It was discovered that a malformed EC private key might result in memory corruption.
It was discovered that missing input sanitising in the X509_to_X509_REQ() function might result in denial of service.
For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u15. In this update the export ciphers are removed from the default cipher list.
We recommend that you upgrade your openssl packages.
Última edição por 5ms; 19-03-2015 às 14:13.
19-03-2015, 15:10 #10
Vi isso aqui hoje:
A falha FREAK ainda afeta centenas dos apps mais populares no iOS e Android