OpenSSL Update Released

Published: 2016-09-22
Last Updated: 2016-09-22 13:52:16 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

As announced earlier this week, OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).

The update fixes 14 different vulnerabilities. Only one vulnerability is rated "High". This vulnerability, CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple large OCSP requests.

With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported.

The table below shows which vulnerabilities apply to each branch.

CVE Description Rating 1.0.1 1.0.2 1.1.0
CVE-2016-6304 OCSP Status Request extension unbounded memory growth High x x x
CVE-2016-6305 SSL_peek() hang on empty record (CVE-2016-6305) Moderate     x
CVE-2016-2183 SWEET32 Mitigation (CVE-2016-2183) Low x x  
CVE-2016-6303 OOB write in MDC2_Update() Low x x  
CVE-2016-6302 Malformed SHA512 ticket DoS Low x x  
CVE-2016-2182 OOB write in BN_bn2dec() Low x x  
CVE-2016-2180 OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Low x x  
CVE-2016-2177 Pointer arithmetic undefined behaviour (CVE-2016-2177) Low x x  
CVE-2016-2178 Constant time flag not preserved in DSA signing Low x x  
CVE-2016-2179 DTLS buffered message DoS Low x x  
CVE-2016-2181 DTLS replay protection DoS Low x x  
CVE-2016-6306 Certificate message OOB reads Low x x  
CVE-2016-6307 Excessive allocation of memory in tls_get_message_header() Low     x
CVE-2016-6308 Excessive allocation of memory in dtls1_preprocess_fragment() Low     x

Johannes B. Ullrich, Ph.D.


2 comment(s)
Diary Archives