Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 May 2012 07:15:15 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: OpenSSL invalid TLS/DTLS record attack (CVE-2012-2333)

I think these should be in here given the importance of OpenSSL, as well
as to encourage relevant follow-ups.

----- Forwarded message -----

Subject: OpenSSL Security Advisory
Date: Thu, 10 May 2012 23:47:57 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenSSL Security Advisory [10 May 2012]
=======================================

Invalid TLS/DTLS record attack (CVE-2012-2333)
===============================================

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.

DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x

References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120510.txt


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBT6w226LSm3vylcdZAQKTzgf/cksRhBmKkc5BWGXHxRuNEpr7SplMvM1k
5HcyLrlUKE4E2tredaylgYhbpy9+50e8euv8cWdD5ErBklJ9SGso2YKl/FVOSO0e
T5MyGgOeQ4jAeyLlBahw6O74bUYrO3WntVyLJDrH6gRGN1dDjenMPErPUKUQGUMw
8Yy0JXbxIVhw731ymL6Iv2DuleFZvGCdSgPXbX39qXrAe5mD5wd5jGP50f7S0mEO
mj6/3zPxAHLrn5H9XXwqgebEylQkCHWdMIxSqYihea865/BShT5lXJdLief7YDlh
YEJVquVjGlRgTJZeq6YZab5c1Lg+Jlc9cxtniQv1QaAgfryEJ5biPQ==
=/mgW
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Announcement Mailing List                 openssl-announce@...nssl.org
Automated List Manager                           majordomo@...nssl.org

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.