The OpenSSL team published a security advisory on August 6th 2014, see the OpenSSL site for more information. All vulnerabilities in that advisory have been patched in the latest versions of OpenSSL 1.0.1-chacha and 1.0.2-chacha:
- Information leak in pretty printing functions (CVE-2014-3508)
- Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
- Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
- Double Free when processing DTLS packets (CVE-2014-3505)
- DTLS memory exhaustion (CVE-2014-3506)
- DTLS memory leak from zero-length fragments (CVE-2014-3507)
- OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
- OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
- SRP buffer overrun (CVE-2014-3512)
As always, check https://onwebsecurity.com/cryptography/openssl for the latest Windows 32 and 64 bit binaries, and https://github.com/PeterMosmans/openssl for the latest sources.
Comments
comments powered by Disqus