OpenSSL Project issues 12 patches in Thursday update
New versions of OpenSSL were released on Thursday to address multiple security vulnerabilities, including two of “high” severity.
One denial-of-service (DoS) bug, CVE-2015-0291, only impacts OpenSSL version 1.02., but could, if exploited, allow attackers to make a client or server crash with a malformed certificate, member of the OpenSSL development team Rich Salz told Threatpost.
The other high severity bug was upgraded from a “low” rating after it was discovered that RSA export ciphersuites support is more common than initially thought. The bug impacts OpenSSL versions 1.0.1., 1.0.0, and 0.9.8. The vulnerability left OpenSSL open to man-in-the-middle (MitM) attacks.
Ten other fixes were issued, as well, including a ‘moderate' bug that typically triggers a segmentation fault, but can also enable a DoS attack.
Earlier this month, Cryptography Services launched a security audit of OpenSSL, the largest effort to review the service yet.