Post-POODLE, OpenSSL shakes off some fleas

New fixes repair DOS, authentication flaws

OpenSSL has squashed eight low severity vulnerabilities bugs that could result in denial of service or the removal of forward secrecy.

The holes, two graded "moderate", were addressed in OpenSSL updates 1.0.0p, 0.98zd, and 1.0.1k.

Maintainers wrote in an advisory that Cisco warned last October that a crafted Datagram Transport Layer Security (DTLS) message could trigger a segmentation fault due (CVE-2014-3571) to a NULL pointer dereference.

Another bug (CVE-2015-0206) spotted by researcher Chris Mueller led to denial of service through memory exhaustion. A leak in the dtls1_buffer_record function was caused if attackers sent repeated DTLS records with the same sequence number but for the next epoch.

Other certificate flaws included a downgrade of forward secrecy (CVE-2014-3572) while another meant attackers could authenticate to servers without using private keys (CVE-2015-0204).

"An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange cipher suite," maintainers wrote in an advisory. "A server could present a weak temporary key and downgrade the security of the session." ®




Biting the hand that feeds IT © 1998–2019