Re: OpenSSL 0.9.8 patches
Right, but what about the patch for adding TLS_FALLBACK_SCSV? And the
other vulnerabilities that were patched in 0.9.8zc?
*****************
Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently
known.
On 10/20/2014 01:22 PM, Johnathon Tinsley wrote:
> POODLE is basically un-patchable. Just turn off SSLv3 in any application which requires encryption.
>
>
>
> ----- Original Message -----
> From: "Paul Allen" <paul@inetz.com>
> To: debian-lts@lists.debian.org
> Sent: Monday, 20 October, 2014 7:51:12 PM
> Subject: OpenSSL 0.9.8 patches
>
> Will the OpenSSL 0.9.8 package for Squeeze LTS be getting patched with
> the latest security patches for the items such as POODLE? I've seen the
> Wheezy and Sid packages patched, but nothing for Squeeze yet.
>
> Paul
>
>
Reply to: