3 replies to this topic

[AplusWebMaster]

FYI...

OpenSSL TLS server extension vuln - update available
- http://secunia.com/advisories/42243/
Release Date: 2010-11-16
Criticality level: Moderately critical
Impact: DoS, System access
Solution Status: Vendor Patch ...
CVE Reference: http://web.nvd.nist....d=CVE-2010-3864
... The vulnerability is reported in versions 0.9.8f through 0.9.8o and versions 1.0.0 and 1.0.0a.
Solution: Update to version 0.9.8p and 1.0.0b or apply patches.
Original Advisory: http://www.openssl.o...dv_20101116.txt

- http://www.securityt....com/id?1024743
Nov 16 2010

- http://www.us-cert.g...ses_openssl_1_0
November 17, 2010

Edited by AplusWebMaster, 18 November 2010 - 03:16 PM.

[AplusWebMaster]

FYI...

OpenSSL v0.9.8q-v1.0.0c released
- http://secunia.com/advisories/42473/
Last Update: 2010-12-08
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
CVE Reference(s):
http://web.nvd.nist....d=CVE-2008-7270
http://web.nvd.nist....d=CVE-2010-4180
... The vulnerability is reported in all versions prior to 0.9.8q or 1.0.0c.
Solution: Update to version 0.9.8q or 1.0.0c or apply patches.
Original Advisory:
http://www.openssl.o...dv_20101202.txt

[AplusWebMaster]

FYI...

OpenSSL vulns/fixes ...
- https://isc.sans.edu...l?storyid=12322
Last Updated: 2012-01-05 00:46:00 UTC - "... CVEs include:
DTLS Plaintext Recovery Attack (CVE-2011-4108)
Double-free in Policy Checks (CVE-2011-4109)
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)
Invalid GOST parameters DoS Attack (CVE-2012-0027)
Details here: http://openssl.org/n...dv_20120104.txt
Downloads here: http://openssl.org/source/ ..."

- http://www.openssl.o...dv_20120104.txt
04 Jan 2012 - "... Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s..."

- https://secunia.com/advisories/47426/
Release Date: 2012-01-05
Criticality level: Moderately critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution: Update to version 0.9.8s or 1.0.0f.

- http://www.securityt....com/id/1026485
CVE Reference
- http://web.nvd.nist....d=CVE-2011-4108 - 4.3
- http://web.nvd.nist....d=CVE-2011-4109 - 9.3 (HIGH)
- http://web.nvd.nist....d=CVE-2011-4576 - 5.0
- http://web.nvd.nist....d=CVE-2011-4577 - 4.3
- http://web.nvd.nist....d=CVE-2011-4619 - 5.0
- http://web.nvd.nist....d=CVE-2012-0027 - 5.0
- http://web.nvd.nist....d=CVE-2012-0390 - 4.3
Updated: Jan 6 2012
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): prior to 0.9.8s; 1.x prior to 1.0.0f

Edited by AplusWebMaster, 09 January 2012 - 10:41 PM.

[AplusWebMaster]

FYI...

OpenSSL v0.9.8t, 1.0.0g released
- http://www.securityt....com/id/1026548
Date: Jan 19 2012
CVE Reference: http://web.nvd.nist....d=CVE-2012-0050 - 5.0
[Regression: "...incorrect fix for CVE-2011-4108"]
Impact: DoS via network
Version(s): 0.9.8s, 1.0.0f ...
... Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected.
Solution: The vendor has issued a fix (0.9.8t, 1.0.0g).
The vendor's advisory is available at:
http://www.openssl.o...dv_20120118.txt
18 Jan 2012 - "... Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t."