: Log in!


ウェブ 検索
トップ  >  Linux14歩  >  2014-06-07 openssl(source)のupdate
20140607 openssl-1.0.1hにupdateしました


Changes between 1.0.1g and 1.0.1h [5 Jun 2014]

. Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
  handshake can force the use of weak keying material in OpenSSL
  SSL/TLS clients and servers.

  Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
  researching this issue. (CVE-2014-0224)

. Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
  OpenSSL DTLS client the code can be made to recurse eventually crashing
  in a DoS attack.

  Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

. Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
  be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
  client or server. This is potentially exploitable to run arbitrary
  code on a vulnerable client or server.

  Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)

. Fix bug in TLS code where clients enable anonymous ECDH ciphersuites

  Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
  this issue. (CVE-2014-3470)

. Harmonize version and its documentation. -f flag is used to display
     compilation flags.

. Fix eckey_priv_encode so it immediately returns an error upon a failure
     in i2d_ECPrivateKey.

. Fix some double frees. These are not thought to be exploitable.
投票数:33 平均点:5.15
2014-06-01 mysqlのupdate
2014-06-11 lynisのupdate