The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: Security: Openssl 1.0.1g updates available for Apache 2.4.9 & 2.2.27  (Read 2307 times)

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831

Stop the heartbleed attack that was dropped on the world very recently. This version of OpenSSL has fixed this vulnerability as well as one other CVE. I forgot to add the change log in the update packages so here is the list of the 3 bugs/vulerabilities fixed with 1.0.1g.

  • A missing bounds check in the handling of the TLS heartbeat extension
         can be used to reveal up to 64k of memory to a connected client or
         server.

         Thanks for Neel Mehta of Google Security for discovering this bug and to
         Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
         preparing the fix (CVE-2014-0160)
         [Adam Langley, Bodo Moeller]

  • Fix for the attack described in the paper "Recovering OpenSSL
         ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
         by Yuval Yarom and Naomi Benger. Details can be obtained from:
         http://eprint.iacr.org/2014/140

         Thanks to Yuval Yarom and Naomi Benger for discovering this
         flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
         [Yuval Yarom and Naomi Benger]

  • TLS pad extension: draft-agl-tls-padding-03

         Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
         TLS client Hello record length value would otherwise be > 255 and
         less that 512 pad with a dummy extension containing zeroes so it
         is at least 512 bytes long.

         [Adam Langley, Steve Henson]
 
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13