Vulnerability Management

OpenSSL Project issues 12 patches in Thursday update

New versions of OpenSSL were released on Thursday to address multiple security vulnerabilities, including two of “high” severity.

One denial-of-service (DoS) bug, CVE-2015-0291, only impacts OpenSSL version 1.02., but could, if exploited, allow attackers to make a client or server crash with a malformed certificate, member of the OpenSSL development team Rich Salz told Threatpost.

The other high severity bug was upgraded from a “low” rating after it was discovered that RSA export ciphersuites support is more common than initially thought. The bug impacts OpenSSL versions 1.0.1., 1.0.0, and 0.9.8. The vulnerability left OpenSSL open to man-in-the-middle (MitM) attacks.

Ten other fixes were issued, as well, including a ‘moderate' bug that typically triggers a segmentation fault, but can also enable a DoS attack.

Earlier this month, Cryptography Services launched a security audit of OpenSSL, the largest effort to review the service yet.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.