Results 1 to 3 of 3
  1. #1

    Multiple vulnerabilities discovered in OpenSSL and libssl.

    Hi,

    Just want to let know everyone there is a new security update for OpenSSL.

    I saw there is an update available for Ubuntu / Debian, but i did not saw any for RHEL / CentOS yet.



    Details are below and on the openssl website :


    OpenSSL Security Advisory [6 Aug 2014]
    ========================================

    Information leak in pretty printing functions (CVE-2014-3508)
    =============================================================

    A flaw in OBJ_obj2txt may cause pretty printing functions such as
    X509_name_oneline, X509_name_print_ex et al. to leak some information from the
    stack. Applications may be affected if they echo pretty printing output to the
    attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.

    OpenSSL 0.9.8 users should upgrade to 0.9.8zb
    OpenSSL 1.0.0 users should upgrade to 1.0.0n.
    OpenSSL 1.0.1 users should upgrade to 1.0.1i.

    Thanks to Ivan Fratric (Google) for discovering this issue. This issue
    was reported to OpenSSL on 19th June 2014.

    The fix was developed by Emilia Käsper and Stephen Henson of the OpenSSL
    development team.


    Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
    ==================================================================

    The issue affects OpenSSL clients and allows a malicious server to crash
    the client with a null pointer dereference (read) by specifying an SRP
    ciphersuite even though it was not properly negotiated with the client. This can
    be exploited through a Denial of Service attack.

    OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.

    Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering and
    researching this issue. This issue was reported to OpenSSL on 2nd July 2014.

    The fix was developed by Stephen Henson of the OpenSSL core team.


    Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
    ==============================================================

    If a multithreaded client connects to a malicious server using a resumed session
    and the server sends an ec point format extension it could write up to 255 bytes
    to freed memory.

    OpenSSL 1.0.0 SSL/TLS client users should upgrade to 1.0.0n.
    OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.

    Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
    issue. This issue was reported to OpenSSL on 8th July 2014.

    The fix was developed by Gabor Tyukasz.


    Double Free when processing DTLS packets (CVE-2014-3505)
    ========================================================

    An attacker can force an error condition which causes openssl to crash whilst
    processing DTLS packets due to memory being freed twice. This can be exploited
    through a Denial of Service attack.

    OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
    OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
    OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

    Thanks to Adam Langley and Wan-Teh Chang (Google) for discovering and
    researching this issue. This issue was reported to OpenSSL on 6th June
    2014.

    The fix was developed by Adam Langley.


    DTLS memory exhaustion (CVE-2014-3506)
    ======================================

    An attacker can force openssl to consume large amounts of memory whilst
    processing DTLS handshake messages. This can be exploited through a Denial of
    Service attack.

    OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
    OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
    OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

    Thanks to Adam Langley (Google) for discovering and researching this
    issue. This issue was reported to OpenSSL on 6th June 2014.

    The fix was developed by Adam Langley.


    DTLS memory leak from zero-length fragments (CVE-2014-3507)
    ===========================================================

    By sending carefully crafted DTLS packets an attacker could cause openssl to
    leak memory. This can be exploited through a Denial of Service attack.

    OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
    OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
    OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

    Thanks to Adam Langley (Google) for discovering and researching this
    issue. This issue was reported to OpenSSL on 6th June 2014.

    The fix was developed by Adam Langley.

    OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
    ===============================================================

    OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
    denial of service attack. A malicious server can crash the client with a null
    pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
    sending carefully crafted handshake messages.

    OpenSSL 0.9.8 DTLS client users should upgrade to 0.9.8zb
    OpenSSL 1.0.0 DTLS client users should upgrade to 1.0.0n.
    OpenSSL 1.0.1 DTLS client users should upgrade to 1.0.1i.

    Thanks to Felix Gröbert (Google) for discovering and researching this issue.
    This issue was reported to OpenSSL on 18th July 2014.

    The fix was developed by Emilia Käsper of the OpenSSL development team.


    OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
    =====================================================

    A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
    TLS 1.0 instead of higher protocol versions when the ClientHello message is
    badly fragmented. This allows a man-in-the-middle attacker to force a
    downgrade to TLS 1.0 even if both the server and the client support a higher
    protocol version, by modifying the client's TLS records.

    OpenSSL 1.0.1 SSL/TLS server users should upgrade to 1.0.1i.

    Thanks to David Benjamin and Adam Langley (Google) for discovering and
    researching this issue. This issue was reported to OpenSSL on 21st July 2014.

    The fix was developed by David Benjamin.


    SRP buffer overrun (CVE-2014-3512)
    ==================================

    A malicious client or server can send invalid SRP parameters and overrun
    an internal buffer. Only applications which are explicitly set up for SRP
    use are affected.

    OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1i.

    Thanks to Sean Devlin and Watson Ladd (Cryptography Services, NCC
    Group) for discovering this issue. This issue was reported to OpenSSL
    on 31st July 2014.

    The fix was developed by Stephen Henson of the OpenSSL core team.

  2. #2
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Looks like CentOS finally provided an updated package for

    * OpenSSL 1.0.1e-34.el7_0.4 for CentOS 7
    * OpenSSL 1.0.1e-16.el6_5.15 for CentOS 6

    on CentOS 7
    Code:
    yum list updates | grep openssl
    openssl.x86_64                            1:1.0.1e-34.el7_0.4            updates
    openssl-devel.x86_64                      1:1.0.1e-34.el7_0.4            updates
    on CentOS 6
    Code:
    yum list updates | grep openssl
    openssl.x86_64                             1.0.1e-16.el6_5.15            updates
    openssl-devel.x86_64                       1.0.1e-16.el6_5.15            updates
    For CentOS 7
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.4
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    For CentOS 6
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.15
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  3. #3
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,529
    But remember.... there is more to it than just updating via yum....

    You also need to re-start any apps that used the ssl libraries otherwise you are still effectively running the old versions. There are a couple of ways of doing this - the reboot method - which is very easy and of course effective. Non-reboot - takeas a tad of know-how, and using lsof and looking for ssl and deleted should be a big start on what services you need to stop/start or restart.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

Similar Threads

  1. New CPanel Multiple Vulnerabilities?
    By ahbao in forum Hosting Security and Technology
    Replies: 0
    Last Post: 11-14-2006, 09:01 PM
  2. MySQL Multiple Vulnerabilities - Highly Critical
    By CybexHost in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-26-2005, 10:12 AM
  3. Multiple WHM AutoPilot Vulnerabilities
    By sounds in forum Reseller Hosting
    Replies: 5
    Last Post: 02-01-2005, 10:26 PM
  4. Updated OpenSSL packages fix vulnerabilities
    By Steven in forum Hosting Security and Technology
    Replies: 5
    Last Post: 03-18-2004, 03:56 AM
  5. Multiple new PHPNuke vulnerabilities
    By Lanc3r in forum Hosting Security and Technology
    Replies: 0
    Last Post: 02-05-2004, 08:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •