OpenSSL, the popular open source implementation of the SSL protocol, has released updates patching nine issues that including several critical security vulnerabilities.
This includes issues that can be caused by a denial-of-service (DOS) attack. A DOS floods a server with messages to consume large amounts of memory or leak information.
Critical Issues Addressed
The patches address the following critical security vulnerabilities:
- Preventing an attacker from being able to downgrade the security level of the connection, less secure than TLS 1.0.
- Preventing an attacker from forcing an error condition which causes OpenSSL to crash while processing DTLS packets due to memory being freed twice.
- Preventing a malicious server from using a resumed session when multithreaded client connects to send an ec point format extension and write up to 255 bytes to freed memory.
OpenSSL has come under close scrutiny since the revelation in April of the so called Heartbleed bug, which could be exploited to circumvent SSL to capture communications between a browser and a server in an un-encrypted format. OpenSSL is used by almost 20% of all web servers, yet the project is maintained by approximately 10 full time staff. They rely primarily on developer community contributions and donations. In response to the Heartbleed bug, numerous high profile corporations have stepped forward to provides support.
The following updates are available:
• OpenSSL 0.9.8 users should upgrade to 0.9.8zb
• OpenSSL 1.0.0 users should upgrade to 1.0.0n
• OpenSSL 1.0.1 users should upgrade to 1.0.1i