The well-nigh serious of all is a heap-based buffer overflow põrnikas (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cypher suites.
The vulnerability, reported yesteryear Robert Święcki of the Google Security Team on September 25, tin atomic number 82 to DoS assault yesteryear corrupting larger payloads, resulting inwards a crash of OpenSSL.
The severity of the flaw is rated "High" as well as does non touching on OpenSSL versions prior to 1.1.0. However, the OpenSSL squad reports at that topographic point is no prove that the flaw is exploitable beyond a DoS attack.
The OpenSSL projection too patches a moderate severity flaw (CVE-2016-7053) that tin travail applications to crash.
"Applications parsing invalid CMS structures tin crash amongst a NULL pointer dereference. This is caused yesteryear a põrnikas inwards the treatment of the ASN.1 CHOICE type inwards OpenSSL 1.1.0 which tin outcome inwards a NULL value beingness passed to the construction callback if an travail is made to gratuitous certainly invalid encodings. Only CHOICE structures using a callback which produce non own got NULL value are affected," the squad explains.The vulnerability too solely affects OpenSSL 1.1.0.
The OpenSSL 1.1.0c update too fixes a depression severity flaw (CVE-2016-7055), which is related to the Broadwell-specific Montgomery multiplication physical care for that handles input lengths divisible by, simply longer than, 256 bits.
The number was initially non considered every bit a safety problem, simply experts accept demonstrated that the vulnerability tin survive exploited yesteryear attackers inwards real specific circumstances.
This vulnerability affects OpenSSL version 1.0.2, simply due to a depression severity of the flaw, the squad did non number an update at this time. The create volition survive included inwards the side yesteryear side 1.0.2 release. So, users are recommended to await for it.
All the users are strongly recommended to upgrade their software to OpenSSL version 1.1.0c.
Like inwards its previous announcements, the OpenSSL Project has reminded its users that the projection volition no longer back upwardly OpenSSL version 1.0.1 afterward Dec 31, 2016 as well as volition have no safety updates afterward this deadline.
