Openssl Clienthello and FREAK
jeudi 19 mars 2015 à 21:54CAFAI Liens en Vrac 19/03/2015
OpenSSL last vulnerabilities
The most anticipated OpenSSL announcement finally reveal no less than 14 vulnerabilities, with 2 of them classified as high severity. But even if this is not an Heartbleed 2, you would be foolish to not patch you servers.
First, FREAK (CVE-2015-0204) has been reclassified to high because EXPORT_RSA seems to be much more common that previously thought, leading the OpenSSL developpers to escalate it from low to high.
The second high vulnerability (CVE-2015-0291, "ClientHello") only concern the last OpenSSL version (1.0.2), and can lead to a DoS against your server. You can read the full report on the OpenSSL website.
https://www.openssl.org/news/secadv_20150319.txt
https://ma.ttias.be/openssl-cve-2015-0291-cve-2015-0286/
(Permalink)
OpenSSL last vulnerabilities
The most anticipated OpenSSL announcement finally reveal no less than 14 vulnerabilities, with 2 of them classified as high severity. But even if this is not an Heartbleed 2, you would be foolish to not patch you servers.
First, FREAK (CVE-2015-0204) has been reclassified to high because EXPORT_RSA seems to be much more common that previously thought, leading the OpenSSL developpers to escalate it from low to high.
The second high vulnerability (CVE-2015-0291, "ClientHello") only concern the last OpenSSL version (1.0.2), and can lead to a DoS against your server. You can read the full report on the OpenSSL website.
https://www.openssl.org/news/secadv_20150319.txt
https://ma.ttias.be/openssl-cve-2015-0291-cve-2015-0286/
(Permalink)