Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSL bulletin

Published: 2007-10-13
Last Updated: 2007-10-13 23:54:08 UTC
by Jim Clausing (Version: 2)
0 comment(s)

The OpenSSL folks have just issued an advisory affecting  DTLS in OpenSSL 0.9.8 prior to 0.9.8f and SSL_get_shared_ciphers() in both 0.9.8 prior to 0.9.8f and 0.9.7 prior to 0.9.7m.  DTLS is a UDP version of TLS described in RFC 4347.

Recommendations: If you are running 0.9.8 can't upgrade to 0.9.8f immediately, you should disable DTLS.  If you are running 0.9.7 and can't upgrade to 0.9.7m, don't use the SSL_get_shared_ciphers() routine.


CVE entries: CVE-2007-4995, CVE-2007-5135

Update:  Our good friend Raul Siles wrote in to remind us that DTLS is critical to secure VOIP deployments, so people running VoIP DTLS-based environments must evaluate if their products are based on the OpenSSL implementation and ask the vendor for fixes.  For more info on securing VOIP, check out the new SANS course, SEC 540


0 comment(s)
Diary Archives