In association with heise online

09 December 2010, 02:45

New version of OpenSSL fixes two vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

SSL Logo Version 1.0.0c of the free OpenSSL SSL implementation fixes two vulnerabilities. A flaw in an older workaround for Netscape browsers and servers can be remotely exploited to make an OpenSSL server downgrade the ciphersuite to a weaker one for subsequent connections. This can potentially simplify the cracking of encrypted connections. The update simply disables the workaround.

Another flaw in the implementation of the "Password Authenticated Key Exchange by Juggling" protocol (J-PAKE PDF) allows intruders to authenticate themselves without a secret key. While this flaw has been fixed in the current version, the developers point out that their implementation is still experimental and not compiled by default.

(ehe)

Print Version | Send by email | Permalink: http://h-online.com/-1150044
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit