Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Security Advisory Announced

Posted by samzenpus on Thursday June 11, 2015 @11:00AM from the protect-ya-neck dept.

New submitter eyeareque writes: It's time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Personally I wish that OpenSSL released these in a predictable cadence. Patch Tuesday maybe?

1 of 95 comments (clear)

Min score:

Reason:

Sort:

Re:OpenSSL has been replaced... by Pow · 2015-06-11 11:49 · Score: 4, Informative

LibreSSL patches today:
Avoid an infinite loop that can occur when verifying a message with an unknown hash function OID.
Diff based on OpenSSL.
Fixes CVE-2015-1792 (however, this code is not enabled/built in LibreSSL).
ok doug@ miod@
Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing length checks.
Diff based on changes in OpenSSL.
Fixes CVE-2015-1789.
ok doug@
Avoid an infinite loop that can be triggered by parsing an ASN.1
ECParameters structure that has a specially malformed binary polynomial field.
Issue reported by Joseph Barr-Pixton and fix based on OpenSSL.
Fixes CVE-2015-1788.
ok doug@ miod@