Resultados 1 a 6 de 6
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    OpenSSL patches high-severity vulnerability

    By Juha Saarinen
    Sep 23 2016

    The popular OpenSSL cryptographic library project has patched a flaw that could take down servers through memory exhaustion in denial-of-service attacks.

    A malicious client, which sends excessively large online certificate status protocol (OCSP) status requests during connection negotations, can cause massive memory usage growth on the server, the project said.

    Eventually, this will lead to a denial-of-service attack on the server through memory exhaustion.

    OCSP is an open standard protocol used to check for the revocation status of X.509 digital certificates.

    The bug exists in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0. The updated versions are 1.0.1u, 1.0.2i and 1.1.0a.

    OpenSSL versions earlier than 1.0.1g are only vulnerable if OCSP stapling support is enabled, and not in the default configuration.

    Researcher Shi Lei from Gear Team at Chinese security vendor Qihoo 360 is credited with having found the vulnerability.

    A further 15 security fixes are included in the latest round of OpenSSL patches, 14 of which are rated as low severity.

    One bug can be exploited by sending empty records when the SSL_peek() function is called, causing OpenSSL 1.0 - the transport layer security set up process - to hang. This vulnerability could also be exploited in denial-of-service attacks.


    http://www.itnews.com.au/news/openss...ability-438055

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Debian 8

    # apt-get upgrade
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Calculating upgrade... Done
    The following packages will be upgraded:
    libssl-dev libssl1.0.0 openssl
    3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    Need to get 2,993 kB of archives.
    After this operation, 3,072 B of additional disk space will be used.
    Do you want to continue? [Y/n]


  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049
    Status Updates ‏@status_updates Feb 29

    As part of our commitment to improving security, we're scheduling an annual audit that will happen every 29th February from now on.

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Exclamation Debian/Ubuntu/? - version might result in segvault

    Para o meu aborrecimento matinal, hoje foi necessário realizar um novo upgrade do OpenSSL -- 36h após o último pacotão (posts #1 #2). menos de 30 dias após uma festejada versão Tabajara.

    Bom, seus pobremas não se acabaram.

    Talvez a nova correção esteja relacionada ao alegado problema descrito abaixo. Não sei.

    Não importa. Nem bem acabei o upgrade dos servidores e já tinha "novidade" no Twitter:

    Debian Bugs ‏@DebianBug 10 minutes ago

    New bug: 838765 - #openssl - openssl: Last upgrade broke TLS for Outlook under XP... http://deb.li/3urhI

    A campanha asinina para usar HTTPS sem necessidade além de outros maleficios ainda insere um SPF frágil e perigoso como essa josta de OpenSSL.



    libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault
    Bug #1626883 reported by Olli Salli on 2016-09-23



    Bug Description

    Last night unattended-upgrades upgraded the openssl packages (libssl1.0.0, libssl-dev, openssl) from version 1.0.2g-1ubuntu4.1 to version 1.0.2g-1ubuntu4.4 on a CI build server. Then everything that used PHP to connect to a HTTPS site started crashing when verifying the server cert.

    Like this:

    ```
    jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force --activate wp-cfm
    Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop /vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php on line 38
    Notice: Undefined offset: 4 in phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
    Segmentation fault (core dumped)
    *** Segmentation fault
    ...

    Apparently something in libssl now returns a NULL or not-NUL-terminated C string which the PHP function openssl_x509_parse then passes to strlen, which crashes.

    After downgrading to 1.0.2g-1ubuntu4.2 which luckily is still in the repos, everything works.

    ...

    https://bugs.launchpad.net/ubuntu/+s...l/+bug/1626883


    Debian Bug report logs - #838765
    openssl: Last upgrade broke TLS for Outlook under XP
    version graph

    Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is srcpenssl.

    Reported by: "DaB." <debian@daniel.baur4.info>

    Date: Sat, 24 Sep 2016 14:33:02 UTC

    Severity: normal

    Found in version openssl/1.0.1t-1+deb8u4
    https://bugs.debian.org/cgi-bin/bugr...cgi?bug=838765
    Última edição por 5ms; 24-09-2016 às 14:45.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049

    Exclamation OpenSSL Fixes Critical Bug Introduced by Latest Update

    by Michael Mimoso
    September 26, 2016

    OpenSSL today released an emergency security update after a patch in its most recent update issued last week introduced a critical vulnerability in the cryptographic library. The new flaw affects only OpenSSL 1.1.0a, which was made available last Thursday; users are urged to update to 1.1.0b immediately.

    OpenSSL today released an emergency security update after a patch in its most recent update issued last week introduced a critical vulnerability in the cryptographic library.

    The new flaw affects only OpenSSL 1.1.0a, which was made available last Thursday; users are urged to update to 1.1.0b immediately.

    The original patch addressed an issue, CVE-2016-6307, where there was excessive memory allocation in tls_get_message_header. OpenSSL rated that flaw a low-severity bug and said it could cause servers to crash.

    The patch, however, brought a new vulnerability to the code where if messages larger than 16k are received, the underlying buffer that stores the message would be reallocated and moved, OpenSSL said.

    “Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location,” OpenSSL said in its advisory today. “This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.”

    OpenSSL also included a patch for another new vulnerability affecting only OpenSSL 1.0.2i, which was also released last week.

    The bug, CVE-2016-7052, is labeled a missing certificate revocation list (CRL) sanity check component. The sanity check, OpenSSL said, was added originally to 1.1.0, but omitted from 1.0.2i.

    “As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception,” OpenSSL said. It added that users should upgrade to 1.0.2j to remedy this issue.

    Last week’s update patched only one critical vulnerability, which was found and fixed in OpenSSL’s implementation of the Online Certificate Status Protocol (OCSP) that could cause servers to crash, and in some situations, allows attackers to execute arbitrary code.

    OCSP is considered an alternative to CRLs and is used by a client to ping a server requesting the status of a digital certificate. A client sending an overly large OCSP Status Request extension could trigger the bug and crash the server, OpenSSL said.

    OpenSSL also mitigated the SWEET32 vulnerability, CVE-2016-2183. Sweet32 was disclosed in August and affected 64-bit ciphers such as Triple-DES (3DES) and Blowfish and could allow an attacker to recover authentication cookie data from 3DES traffic, and usernames and passwords from OpenVPN traffic, which is secured by Blowfish. As expected, OpenSSL moved 64-bit ciphers from the high cipherstring group to medium in OpenSSL 1.0.1 and 1.0.2. OpenSSL 1.1.0 disables these ciphersuites by default.

    https://threatpost.com/openssl-fixes...update/120851/

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,049
    19:40 - O citado patch de emergência ainda não se encontra disponível no Debian.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •