September 28, 2016

OpenSSL Released a New Version and Fixed Two Vulnerabilities

OpenSSL has released version 1.0.0.c of OpenSSL SSL implementation. With reference to OpenSSL security advisory, the following security issues have been fixed in the new version:

OpenSSL Ciphersuite Downgrade Attack

A flaw has been found in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections.

  • The OpenSSL security team would like to thank Martin Rex for reporting this issue.
  • This vulnerability is tracked as CVE-2010-4180

OpenSSL JPAKE validation error

Sebastian Martini found an error in OpenSSL’s J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. This error is fixed in 1.0.0c. Details of the problem can be found here: http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

Note that the OpenSSL Team still consider our implementation of J-PAKE to be experimental and is not compiled by default.

  • This issue is tracked as CVE-2010-4252

More information is available here.

Source:[openssl.org]

Related Articles: