OpenSSL has released version 1.0.0.c of OpenSSL SSL implementation. With reference to OpenSSL security advisory, the following security issues have been fixed in the new version:
OpenSSL Ciphersuite Downgrade Attack
A flaw has been found in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections.
- The OpenSSL security team would like to thank Martin Rex for reporting this issue.
- This vulnerability is tracked as CVE-2010-4180
OpenSSL JPAKE validation error
Sebastian Martini found an error in OpenSSL’s J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. This error is fixed in 1.0.0c. Details of the problem can be found here: http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
Note that the OpenSSL Team still consider our implementation of J-PAKE to be experimental and is not compiled by default.
- This issue is tracked as CVE-2010-4252
More information is available here.