OpenSSL now at 1.0.2b

Software

It includes fixes and mitigations for six CVEs, rated from low to moderate. From the security advisory:

  1. The Logjam man-in-the-middle attack
  2. Malformed ECParameters causes infinite loop (CVE-2015-1788)
  3. Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
  4. PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
  5. CMS verify infinite loop with unknown hash function (CVE-2015-1792)
  6. Race condition handling NewSessionTicket (CVE-2015-1791)
  7. Invalid free in DTLS (CVE-2014-8176)

All are rated moderate or low. Therefore, none worthy of their own website (well, maybe other than Logjam?). As usual, patch and so on.

Or, you could take your chances (as so many have told me to) and use a fork. If this software continues to have issues despite being entrenched and a de facto standard, I'm sure your offshoot with huge swaths of code changes and far less testing will be more secure.

(Update: freebsd-update now fetches the newer openssl and libssl packages).

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!