Opened 9 years ago
Closed 9 years ago
#6596 closed enhancement (fixed)
openssl-1.0.2c
Reported by: | Owned by: | Fernando de Oliveira | |
---|---|---|---|
Priority: | high | Milestone: | 7.8 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description (last modified by )
New micro version
Now openssl-1.0.2c.
https://openssl.org/source/openssl-1.0.2c.tar.gz
https://openssl.org/source/openssl-1.0.2c.tar.gz.md5
https://openssl.org/source/openssl-1.0.2c.tar.gz.asc
https://openssl.org/news/openssl-1.0.2-notes.html
or
https://raw.githubusercontent.com/openssl/openssl/OpenSSL_1_0_2-stable/CHANGES
(Latter is more detailed and more recent.)
Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] Fix HMAC ABI incompatibility Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] Malformed ECParameters causes infinite loop (CVE-2015-1788) Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) CMS verify infinite loop with unknown hash function (CVE-2015-1792) Race condition handling NewSessionTicket (CVE-2015-1791)
https://openssl.org/news/secadv_20150611.txt
OpenSSL Security Advisory [11 Jun 2015] ======================================= DHE man-in-the-middle protection (Logjam) ==================================================================== A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n Fixes for this issue were developed by Emilia Käsper and Kurt Roeckx of the OpenSSL development team. Malformed ECParameters causes infinite loop (CVE-2015-1788) =========================================================== ... Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) =============================================================== ... PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) ========================================================= ... CMS verify infinite loop with unknown hash function (CVE-2015-1792) =================================================================== ... Race condition handling NewSessionTicket (CVE-2015-1791) ======================================================== ... Invalid free in DTLS (CVE-2014-8176) ==================================== ...
Change History (3)
comment:1 by , 9 years ago
Description: | modified (diff) |
---|---|
Priority: | normal → high |
Summary: | openssl-1.0.2b → openssl-1.0.2c |
comment:2 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at r16119.