OpenSSL patches and releases new versions

The OpenSSL Project released OpenSSL 1.0.2b, 1.0.1n, 1.0.0s and 9.9.8zg, which patched five security issues, including the Logjam vulnerability.

The OpenSSL Project released OpenSSL 1.0.2b, 1.0.1n, 1.0.0s and 9.9.8zg, which patched five security issues, including the Logjam vulnerability.

 

The Logjam bug was fixed through additional protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits, OpenSSL wrote in a security advisory. The limit will be increased to 1024 bits in the future.

 

None of the other four patched bugs were considered “severe.” One issue could have allowed an attacker to perform a denial of service (DoS) attack against any system that verifies signedData messages using the CMS code. It occurred when the CMS code could enter an infinite loop when verifying a signedData message, if presented with an unknown hash function OID.

Another patched vulnerability would have allowed an attacker to create malformed certificates and CRLs of various sizes and potentially cause a segmentation fault.