Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

OpenSSL v0.9.8l released


  • Please log in to reply
1 reply to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 06 November 2009 - 07:11 PM

FYI...

New version of OpenSSL released - OpenSSL 0.9.8l
- http://isc.sans.org/...ml?storyid=7543
Last Updated: 2009-11-06 22:43:05 UTC - "Due to the recent publishing of information regarding a TLS/SSL protocol vulnerability (previous ISC diary entry can be found here http://isc.sans.org/...ml?storyid=7534 ) OpenSSL has released a new version (OpenSSL 0.9.8l). It should be noted that this update does not "fix" the vulnerability in the protocol. It appears that they have made the choice to simply remove TLS/SSL renegotiation from their package by default... There will no doubt be instances where clients/servers will cease to function properly when renegotiation is disabled or removed. The nice thing about what OpenSSL has done is if you do run into issues, it appears to be an easy fix (set a flag and -hup!). So as always, make sure to test vigorously before you deploy! You can get this new version of OpenSSL at the link below:
http://www.openssl.org/source/
Release note from OpenSSL package:
'Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie]'
... Let us not forget that not all traffic that is TLS/SSL encrypted is HTTP. Just off the top of my head I can think of LDAP, MSSQL, Email, and let us not forget SSL VPNS! Since this is a bug in a low lying protocol that higher level applications/protocols rely on there will no doubt be allot of interest issues raised. No doubt plenty of people including myself will have a busy weekend rereading the TLS specification. For those who are bored, feel free to read that specification at the URL below:
TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt
SSL 3.0: http://tools.ietf.or...ssl-version3-00 "

- http://www.us-cert.g...s_vulnerable_to
November 6, 2009

- http://blogs.iss.net...okieswiths.html
November 12, 2009

:ph34r:

Edited by AplusWebMaster, 16 November 2009 - 04:22 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 November 2009 - 01:51 PM

FYI...

OpenVPN fixed OpenSSL session renegotiation issue
- http://isc.sans.org/...ml?storyid=7603
Last Updated: 2009-11-17 14:59:46 UTC - "OpenVPN released an update to respond to the OpenSSL vulnerability described in CVE-2009-3555*. OpenVPN has identified a vulnerability caused by an error in OpenSSL which could be exploited by attackers to manipulate certain data and information.

OpenVPN recommend upgrading to version 2.1_rc21 which is available here:
- http://openvpn.net/i.../downloads.html

Additional information regarding OpenVPN session renegotiation is available here:
- http://article.gmane...nvpn.devel/2835 "

* http://web.nvd.nist....d=CVE-2009-3555
Last revised:11/17/2009

- http://www.symantec....security-issues
November 16, 2009

:ph34r:

Edited by AplusWebMaster, 18 November 2009 - 09:18 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users