Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software Signing
Documents & eSignatures
IoT & Connected Devices
Manage PKI and certificate risk in one place
Quantum is coming.
It's time to prepare.
Quantum is coming.
WATCH REPLAY
It's time to prepare. - Buy
-
Insights
Back
Resources
Explore these pages to discover how TV is helping organizations establish, manage and extend digital trust to solve real-world problems.
-
Partners
Back
- Support
- Contact us
- Language
This morning, the OpenSSL project team released the for three security vulnerabilities discovered in OpenSSL 1.1.0. This patches fix one “high severity,” one “moderate severity,” and one “low severity” vulnerabilities.
None of these bugs affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.Source code for all the OpenSSL patches is available at.
For a full list of vulnerabilities, see the.
About the High Severity Vulnerability
ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
The high severity vulnerability affects TLS connects that use the *-CHACHA20-POLY1305 cipher suites. These type of TLS connections are vulnerable to a DoS attack where the attacker sends a large corrupted payload, which could crash OpenSSL.
This issue only affects those running an instance of OpenSSL 1.1.0.
Update your instance(s) of OpenSSL:
- OpenSSL 1.1.0 users need to upgrade to version 1.1.0c
About the Moderate Severity Vulnerability
CMS Null dereference (CVE-2016-7053)
“Applications parsing invalid CMS structures can crash with a NULL pointer dereference.” This vulnerability only affects CHOICE structures that use callbacks that cannot handle NULL value.This issue only affects those running an instance of OpenSSL 1.1.0.
Update your instance(s) of OpenSSL:
- OpenSSL 1.1.0 users need to upgrade to version 1.1.0c
About the Low Severity Vulnerability
Montgomery multiplication may produce incorrect results (CVE-2016-7055)
“Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.”This issue only affects those running an instance of OpenSSL 1.1.0 and 1.0.2.*
*Note: Although this bug is also found in OpenSSL 1.0.2, the severity of the issue and likelihood of it being exploited are so low that OpenSSL will patch it in the next 1.0.2 release.Update your instance(s) of OpenSSL:
- OpenSSL 1.1.0 users need to upgrade to version 1.1.0c
Support for OpenSSL 1.0.1 Ends Soon
Support for OpenSSL 1.0.1 will end on December 31, 2016. The OpenSSL community will no longer issue security updates for 1.0.1 after that date. If you are still running an instance of OpenSSL 1.0.1, make plans now to upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before 2016 ends.
Featured Stories
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
© 2024 TV. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings