The OpenSSL team published a security advisory on August 6th 2014, see the OpenSSL site for more information. All vulnerabilities in that advisory have been patched in the latest versions of OpenSSL 1.0.1-chacha and 1.0.2-chacha:

  • Information leak in pretty printing functions (CVE-2014-3508)
  • Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
  • Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
  • Double Free when processing DTLS packets (CVE-2014-3505)
  • DTLS memory exhaustion (CVE-2014-3506)
  • DTLS memory leak from zero-length fragments (CVE-2014-3507)
  • OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
  • OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
  • SRP buffer overrun (CVE-2014-3512)

As always, check https://onwebsecurity.com/cryptography/openssl for the latest Windows 32 and 64 bit binaries, and https://github.com/PeterMosmans/openssl for the latest sources.


Comments

comments powered by Disqus