OpenSSL now at 1.0.2b

It includes fixes and mitigations for six CVEs, rated from low to moderate. From the security advisory:

  1. The Logjam man-in-the-middle attack
  2. Malformed ECParameters causes infinite loop (CVE-2015-1788)
  3. Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
  4. PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
  5. CMS verify infinite loop with unknown hash function (CVE-2015-1792)
  6. Race condition handling NewSessionTicket (CVE-2015-1791)
  7. Invalid free in DTLS (CVE-2014-8176)

All are rated moderate or low. Therefore, none worthy of their own website (well, maybe other than Logjam?). As usual, patch and so on.

Or, you could take your chances (as so many have told me to) and use a fork. If this software continues to have issues despite being entrenched and a de facto standard, I'm sure your offshoot with huge swaths of code changes and far less testing will be more secure.

(Update: freebsd-update now fetches the newer openssl and libssl packages).


Imprint

This is one of about 5000 posts on Rubénerd. View the home page for the latest, or related posts also tagged with:

If you liked this post, feel free to buy me a coffee, leave me a comment on Twitter, or email me at weblog2017@rubenschade.com. Thanks :).