Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software Signing
Documents & eSignatures
IoT & Connected Devices
Manage PKI and certificate risk in one place
Quantum is coming.
It's time to prepare.
Quantum is coming.
WATCH REPLAY
It's time to prepare. - Buy
-
Insights
Back
Resources
Explore these pages to discover how TV is helping organizations establish, manage and extend digital trust to solve real-world problems.
-
Partners
Back
- Support
- Contact us
- Language
Announcements
09-27-2016
Jason Sabin
OpenSSL Patches “Critical” & “Moderate” Security Vulnerabilities
Early this morning, the OpenSSL project team —1.1.0b, and 1.0.2j—for two security vulnerabilities discovered in OpenSSL. These two new patches fix a “critical” severity vulnerability found in version 1.1.0a and a “moderate” severity vulnerability found in versions 1.0.2i.
Neither of these bugs affect your SSL/TLS Certificates, and no actions are required related to SSL/TLS Certificate management.Source code for all the OpenSSL patches is available at .
For a full list of vulnerabilities, see the .
“Critical” Severity Vulnerability
Fix Use After Free for large message sizes (CVE-2016-6309)
The OpenSSL Security advisory reported one “critical” severity vulnerability that affects only 1.1.0a users. This vulnerability was introduced in the fix for the "Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)"low severity vulnerability.
If the server receives a message that is 16k or larger, then “underlying buffer to store the incoming message is reallocated and moved.” The problem: a “dangling pointer” remains. When the server tries to write to this supposedly free location, it may cause the server to crash. Or in a worst-case scenario, it could result in arbitrary code being executed.
This vulnerability only affects those running an instance of OpenSSL 1.1.0a.
Update your instance of OpenSSL 1.1.0a immediately:
- OpenSSL 1.1.0a users need to upgrade to version 1.1.0b
“Moderate” Severity Vulnerability
Missing CRL sanity check (CVE-2016-7052)
The “moderate” severity vulnerability reported by the OpenSSL Security advisory only affects 1.0.2i users. This vulnerability was introduced in a bug fix that was supposed to contain a “CRL sanity check.” Because itwas left out, an attempt to use CRLs results in a “crash with a null pointer exception.”
This vulnerability only affects those running an instance of OpenSSL 1.0.2i.
Update your instance of OpenSSL 1.0.2i:
- OpenSSL 1.0.2i users need to upgrade to version 1.0.1j.
Plan to Upgrade to OpenSSL 1.0.2 or 1.1.0 Soon
There are onlythree months left until support for your instance of OpenSSL 1.0.1 ends (December 31, 2016). If you are running an instance of OpenSSL 1.0.1, upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before support ends.
Featured Stories
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
© 2024 TV. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings