http://securityaffairs.co/wordpress/51448/security/openssl-high-severity-flaw.html
You might need to spare some time to do the update.
One of the flaws that affect the popular toolkit has a “high” severity.
The Project plans to release OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u next Thursday September 22 .
The OpenSSL Project has already issued three security patches this year that addressed a total of 16 vulnerabilities.
2 Comments
Tomi Engdahl says:
OpenSSL Security Advisory [22 Sep 2016]
https://www.openssl.org/news/secadv/20160922.txt
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the “no-ocsp” build time option are not affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.
Other solved issues:
SSL_peek() hang on empty record (CVE-2016-6305) – Moderate onlly 1.1.0
SWEET32 Mitigation (CVE-2016-2183) – Low severity attack on older block cipher algorithms
Tomi Engdahl says:
I Got 99 Problems, But SWEET32 Isn’t One
http://www.securityweek.com/i-got-99-problems-sweet32-isnt-one
Where does SWEET32 rank against other SSL vulnerabilities?
Cryptographic attacks with cute names seem to come around every few months; so far in 2016 we have seen BICYCLE, DROWN, and now SWEET32.
A pair of researchers, Karthikeyan Bhargavan and Gaëtan Leurent with the French national research institute for computer science, published a cryptographic attack against older, 64-bit block ciphers such as triple-DES (3DES) and Blowfish. They called their attack SWEET32 (CVE-2016-2183) as the attack starts to become practical after 2^32 cipher blocks.
The attack’s website explains that the basis for the SWEET32 attack involves the birthday paradox from probability theory.
Let’s see where SWEET32 would land in my ranking system, which is similar to the CVSS methodology in that it focuses on impact and exploitability.