In association with heise online

03 June 2010, 12:45

OpenSSL updates fix vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

SSL Logo The OpenSSL developers have released versions 0.9.8o and 1.0.0a, fixing two security problems. A flaw in the ASN.1 parser can be exploited to write to invalid memory addresses using specially crafted "Cryptographic Message Syntax" (CMS) structures. The flaw potentially allows arbitrary code to be injected in order to compromise a system. CMS is not enabled by default in the 0.9.8 branch of OpenSSL, but it is enabled in the 1.0.0 branch.

An uninitialised buffer in the EVP_PKEY_verify_recover() function in version 1.0.0 can be exploited to make an invalid RSA key appear to be valid. Since very few applications have used this recently-introduced function, the scope of this problem is limited. The OpenSSL developers say that pkeyutl is currently one of the only OpenSSL tools to access this function.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit