2012年1月 5日

[installer 3066] OpenSSL 1.0.0f, 0.9.8s

OpenSSL 1.0.0f, 0.9.8s 出ています。

複数のセキュリティホールの修正版です。
http://openssl.org/news/secadv_20120104.txt
参照のこと。

☆ openssl-1.0.0f
http://www.openssl.org/

ftp://ftp.openssl.org/source/openssl-1.0.0f.tar.gz
http://www.openssl.org/source/openssl-1.0.0f.tar.gz

Changes between 1.0.0e and 1.0.0f [4 Jan 2012]

*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@xxxxx> and Michael Tuexen <tuexen@xxxxx>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]

*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]

*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
[Adam Langley (Google)]

*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
[Andrey Kulikov <amdeich@xxxxx>]

*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@xxxxx> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@xxxxx>]

*) Improved PRNG seeding for VOS.
[Paul Green <Paul.Green@xxxxx>]

*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]

*) Fix spurious failures in ecdsatest.c.

投稿者 xml-rpc : 2012年1月 5日 11:04
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/108335
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。