As mentioned earlier this week announced for updates today OpenSSL true that address multiple vulnerabilities. In total, it comes to 14 vulnerabilities, two of which are labeled as "high." This is the highest level for vulnerabilities that uses OpenSSL. The first high-leak is present only in version 1.0.2, and makes it possible to perform a Denial of Service against a server.
The second high-leak was originally labeled as "low", the lowest category that uses OpenSSL. One of the OpenSSL developers had previously indicated that only one high-leak would be, which was in version 1.0.2. Still, it was decided the low-leakage to label as high. It involves "FREAK leak" that previously was revealed by researchers. Through the leak, an attacker who is between a target and the Internet is in some cases the encryption of the encrypted connection to downgrade to a weak encryption to crack then that and to see the encrypted traffic.
According to the OpenSSL developers was initially assumed that the problem would be small and it was not possible for many servers to downgrade to the weak encryption. Further investigation showed, however, that a significant number of servers supporting the weak encryption. The other vulnerabilities patched today were mainly possible to conduct denial of service attacks against servers. Administrators are advised, depending on which version is installed, upgrade to version 1.0.2a ,1.0.1m , 1.0.0r or 0.9.8zf .
No comments:
Post a Comment