Patch AGAIN: OpenSSL security fixes now need their own security fixes
Recursion (n): See recursion
Sysadmins and devs, fresh from a weekend spoiled by last week's OpenSSL emergency patch, have another emergency patch to install.
One of last week's fixes, for CVE-2016-6307, created CVE-2016-6309, a dangling pointer security vulnerability.
As the fresh advisory states: “The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received, then the underlying buffer to store the incoming message is reallocated and moved.
“Unfortunately a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.”
OpenSSL 1.1.0 users need to install 1.1.0b.
That one, rated critical, was turned up by Robert Święcki of the Google Security Team.
In the other bug (CVE-2016-7052), OpenSSL 1.0.2i omitted a certificate revocation list (CRL) sanity check from 1.1.0, meaning “any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.” Grab OpenSSL 1.0.2j to fix that one.
The latest patched code is available here or from your favorite operating system distribution. ®