Security vulnerability in OpenSSL DTLS implementation
The OpenSSL development team have fixed a critical security vulnerability involving processing of DTLS connections in the new version, 0.9.8f, of their encryption library. The vulnerability may allow attackers to remotely inject arbitrary malicious code and gain control of vulnerable systems. DTLS (Datagram TLS) is a version of TLS for the UDP protocol. Standard TLS and SSL applications are based on TCP and are not affected by the problem.
As an IETF propagated standard for encryption of internet telephony connections, DTLS is likely to attain considerable significance in future. A large number of DTLS applications can also be anticipated in other areas such as media streaming and gaming servers. To date, however, very few products support DTLS. Linux distributor Red Hat, for example, felt obliged to point out in its own OpenSSL advisory that none of the packages in its software repository currently uses DTLS.
- OpenSSL Security Advisory [12-Oct-2007], information on the new version from the developers