OpenSSL Update Released
As announced earlier this week, OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).
The update fixes 14 different vulnerabilities. Only one vulnerability is rated "High". This vulnerability, CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple large OCSP requests.
With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported.
The table below shows which vulnerabilities apply to each branch.
| CVE | Description | Rating | 1.0.1 | 1.0.2 | 1.1.0 |
|---|---|---|---|---|---|
| CVE-2016-6304 | OCSP Status Request extension unbounded memory growth | High | x | x | x |
| CVE-2016-6305 | SSL_peek() hang on empty record (CVE-2016-6305) | Moderate | x | ||
| CVE-2016-2183 | SWEET32 Mitigation (CVE-2016-2183) | Low | x | x | |
| CVE-2016-6303 | OOB write in MDC2_Update() | Low | x | x | |
| CVE-2016-6302 | Malformed SHA512 ticket DoS | Low | x | x | |
| CVE-2016-2182 | OOB write in BN_bn2dec() | Low | x | x | |
| CVE-2016-2180 | OOB read in TS_OBJ_print_bio() (CVE-2016-2180) | Low | x | x | |
| CVE-2016-2177 | Pointer arithmetic undefined behaviour (CVE-2016-2177) | Low | x | x | |
| CVE-2016-2178 | Constant time flag not preserved in DSA signing | Low | x | x | |
| CVE-2016-2179 | DTLS buffered message DoS | Low | x | x | |
| CVE-2016-2181 | DTLS replay protection DoS | Low | x | x | |
| CVE-2016-6306 | Certificate message OOB reads | Low | x | x | |
| CVE-2016-6307 | Excessive allocation of memory in tls_get_message_header() | Low | x | ||
| CVE-2016-6308 | Excessive allocation of memory in dtls1_preprocess_fragment() | Low | x |
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
Keywords:
2 comment(s)
Join us at SANS!
Attend Application Security: Securing Web Apps, APIs, and Microservices with Johannes Ullrich in Tokyo starting Aug 29 2022
×
![]()
Diary Archives
