OpenSSL bulletin

The OpenSSL folks have just issued an advisory affecting  DTLS in OpenSSL 0.9.8 prior to 0.9.8f and SSL_get_shared_ciphers() in both 0.9.8 prior to 0.9.8f and 0.9.7 prior to 0.9.7m.  DTLS is a UDP version of TLS described in RFC 4347.

Recommendations: If you are running 0.9.8 can't upgrade to 0.9.8f immediately, you should disable DTLS.  If you are running 0.9.7 and can't upgrade to 0.9.7m, don't use the SSL_get_shared_ciphers() routine.

Advisory: http://www.openssl.org/news/secadv_20071012.txt

CVE entries: CVE-2007-4995, CVE-2007-5135

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Tokyo Autumn 2022

Jim

423 Posts
ISC Handler
Oct 13th 2007

Sign Up for Free or Log In to start participating in the conversation!