On Tue, Sep 06, 2011 at 03:40:30PM +0200, OpenSSL wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > OpenSSL Security Advisory [6 September 2011] > > Two security flaws have been fixed in OpenSSL 1.0.0e > > CRL verification vulnerability in OpenSSL > ========================================= > > Under certain circumstances OpenSSL's internal certificate verification > routines can incorrectly accept a CRL whose nextUpdate field is in the past. > (CVE-2011-3207) > > This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of > OpenSSL before 1.0.0 are not affected. > > Users of affected versions of OpenSSL should update to the OpenSSL 1.0.0e > release, which contains a patch to correct this issue. > > Thanks to Kaspar Brand <o...@velox.ch> for identifying this bug and > suggesting a fix. > > > TLS ephemeral ECDH crashes in OpenSSL > ===================================== > > OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and > furthermore can crash if a client violates the protocol by sending handshake > messages in incorrect order. (CVE-2011-3210) > > This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft" > ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d. > > Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which > contains a patch to correct this issue. If you cannot immediately upgrade, > we recommend that you disable ephemeral ECDH ciphersuites if you have enabled > them. > > Thanks to Adam Langley <a...@chromium.org> for identifying and fixing this > issue. > > Which applications are affected > =============================== > > Applications are only affected by the CRL checking vulnerability if they > enable > OpenSSL's internal CRL checking which is off by default. For example by > setting > the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL. > Applications which use their own custom CRL checking (such as Apache) are not > affected. > > Only server-side applications that specifically support ephemeral ECDH > ciphersuites are affected by the ephemeral ECDH crash bug and only if > ephemeral ECDH ciphersuites are enabled in the configuration. You can check > to see if application supports ephemeral ECDH ciphersuites by looking for > SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH, > SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback, > SSL_CTRL_SET_TMP_ECDH_CB in the source code. > > References > ========== > > URL for this Security Advisory: > http://www.openssl.org/news/secadv_20110906.txt > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBTmYhWqLSm3vylcdZAQKsnQgAsD+GwbfpXuZyhLNcHrJjTiHgfVWQLiFq > 6RupYmgfxPiCrGdSEvp6Uh3Y+bcOOoDXTXujk7T6RTRU4iYiARFkXo8bUtH47dWO > AfwOyMxiM88G9TYj69RUjKNP70j1rEATIz+m4kpnDgmmsodDNsPj56k4gptsoELc > S4Cb4+97uCBv1mkVFgvu71RVXbIwqOMt/vveHUttQQLEcdu2XcUylbMarDaOcZui > e9AjYX3LoqdhPRl2v01tuJf3c8wmNTE+GtsO8hwda6eo8Mu/BAnqtFsiFRVjmJ2M > vgj1Ot/SPQHcpDu7N3V3GY4tdY8iDHWZ5FfbyaoXvzM6guS+o4cDww== > =xfeL > -----END PGP SIGNATURE----- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org
Will this affect openssl 1.0.1 ? -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k IT is done! http://groups.google.com/group/rec.arts.drwho/about ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
