OpenSSL Fixes Over a Dozen Exploits, Including a High-Severity Flaw

The OpenSSL Project has stock-still over a dozen vulnerabilities in OpenSSL, releasing versions 1.ane.0a, 1.0.2i and one.0.1u. I of these patched flaws includes a high severity vulnerability that tin exist exploited for denial-of-service (DoS) attacks.

Tracked as CVE-2016-6304, attackers could exploit the flaw past sending a server a large OCSP Condition Request extension, causing retentivity burnout to launch DoS attacks. Reported by a Chinese security firm, the vulnerability affects servers fifty-fifty if they don't support OCSP.

A malicious customer tin ship an excessively large OCSP Condition Asking extension. If that client continually requests renegotiation, sending a large OCSP Status Asking extension each fourth dimension, and so there will be unbounded memory growth on the server. This will somewhen atomic number 82 to a Deprival Of Service attack through retentivity exhaustion. Servers with a default configuration are vulnerable fifty-fifty if they do not support OCSP. Builds using the "no-ocsp" build fourth dimension option are not affected.

Servers using OpenSSL versions prior to i.0.1g are not vulnerable in a default configuration, instead only if an awarding explicitly enables OCSP stapling support.

OpenSSL Projection also fixes 1 moderate severity and 12 low severity vulnerabilities

The Project has also resolved 12 depression severity vulnerabilities, simply they don't impact the 1.one.0 co-operative that was launched a month ago. But, that co-operative is afflicted by a moderate severity flaw (CVE-2016-6305) that can too exist exploited for DoS attacks.

The OpenSSL Project will terminate support for OpenSSL version 1.0.1 on 31st Dec 2022. Users won't receive whatsoever security updates after that. It was also noted in the security bulletin that support for versions 0.9.eight and 1.0.0 already concluded on 31st December 2022. Security experts have advised users to upgrade in order to avoid any security bug.

More in Security Today

Yahoo to Confirm Massive Data Breach Affecting 200 Million Users – Chaos for the New Owners?