: Log in!

メインメニュー
Google


ウェブ 検索
サイト内検索
トップ  >  Linux14歩  >  2014-10-18 openssl(source)のupdate
20141018 openssl-1.0.1jにupdateしました


OpenSSL CHANGES

Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

. SRTP Memory Leak.

  A flaw in the DTLS SRTP extension parsing code allows an attacker, who
  sends a carefully crafted handshake message, to cause OpenSSL to fail
  to free up to 64k of memory causing a memory leak. This could be
  exploited in a Denial Of Service attack. This issue affects OpenSSL
  1.0.1 server implementations for both SSL/TLS and DTLS regardless of
  whether SRTP is used or configured. Implementations of OpenSSL that
  have been compiled with OPENSSL_NO_SRTP defined are not affected.

  The fix was developed by the OpenSSL team.
  (CVE-2014-3513)
  [OpenSSL team]

. Session Ticket Memory Leak.

  When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
  integrity of that ticket is first verified. In the event of a session
  ticket integrity check failing, OpenSSL will fail to free memory
  causing a memory leak. By sending a large number of invalid session
  tickets an attacker could exploit this issue in a Denial Of Service
  attack.
  (CVE-2014-3567)
  [Steve Henson]

. Build option no-ssl3 is incomplete.

  When OpenSSL is configured with "no-ssl3" as a build option, servers
  could accept and complete a SSL 3.0 handshake, and clients could be
  configured to send them.
  (CVE-2014-3568)
  [Akamai and the OpenSSL team]

. Add support for TLS_FALLBACK_SCSV.
  Client applications doing fallback retries should call
  SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
  (CVE-2014-3566)
  [Adam Langley, Bodo Moeller]

. Add additional DigestInfo checks.
 
  Reencode DigestInto in DER and check against the original when
  verifying RSA signature: this will reject any improperly encoded
  DigestInfo structures.

  Note: this is a precautionary measure and no attacks are currently known.
  [Steve Henson]
投票数:24 平均点:5.42
前
2014-10-17 lynisのupdate
カテゴリートップ
Linux14歩
次
2014-10-19 phpのupdate