Security: Openssl 1.0.1h & 0.9.8za updates available for Apache 2.4.9 & 2.2.27

Started by Gregg, June 07, 2014, 06:42:41 AM

Previous topic - Next topic

Gregg

OpenSSL 1.0.1h and 0.9.8za updates are available for download now. These are primarily security updates and it is suggested that you update your server as soon as possible.

Update packages can be found on our download page.

OpenSSL 1.0.1h Changes

  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
     handshake can force the use of weak keying material in OpenSSL
     SSL/TLS clients and servers.

     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
     researching this issue. (CVE-2014-0224)
     [KIKUCHI Masashi, Steve Henson]

  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
     OpenSSL DTLS client the code can be made to recurse eventually crashing
     in a DoS attack.

     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
     (CVE-2014-0221)
     [Imre Rad, Steve Henson]

  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
     client or server. This is potentially exploitable to run arbitrary
     code on a vulnerable client or server.

     Thanks to J