Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 5060 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL updates.

NewImage
US-CERT  Notice Original release date: March 19, 2015
OpenSSL has released new updates addressing multiple vulnerabilities, one of which is classified as a high severity issue. Exploitation could allow a remote attacker to cause a cause a Denial of Service attack against the server.

Updates available include:

OpenSSL 1.0.2a for 1.0.2 users
OpenSSL 1.0.1m for 1.0.1 users
OpenSSL 1.0.0r for 1.0.0 users
OpenSSL 0.9.8zf for 0.9.8 users

------
With the DOS attack, an attacker can crash a system using that is using TLS 1.2


This thread was automatically locked due to age.
  • 0
    More info:
    https://www.openssl.org/news/secadv_20150319.txt
    "OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)"

    Barry
  • 0
    Looks like fixed in the new 9.310
    Import OpenSSL security updates from 1.0.1m
  • 0 in reply to NewImage
    Looks like fixed in the new 9.310
    Import OpenSSL security updates from 1.0.1m


    Should be GA release next week. SR looks good so far.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0

    I know this is an old post, but looks like Sophos has ignored updating OpenSSL in the firmware.

    UTM 9.407003 - 

    >openssl version
    OpenSSL 1.0.1k 8 Jan 2015

     Client download however is: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09

    Since there have been numerous firmware updates, why has Sophos ignored updating OpenSSL to a later version?

    Regards Simon

    Sophos XG 17.5.1 MR-1 | Dell 7010 | Intel(R) Core(TM) i5-3550 CPU @ 3.70GHz | 8GB Memory
    Samsung EVO 850 120GB SDD | 1x Intel 82574L / 2x 82571EB Gigabit Ethernet Controller (rev 06)

  • 0 in reply to dark moon

    This type of question has been asked and answered regularly here.  Originally Astaro Security Linux, the UTM runs in a hardened version of Suse Linux.  No new version of one of the components is added until it's been thoroughly tested.  Unless there's a compelling reason to make that effort, it's usually easier/surer to patch the version currently in use.

    What specific vulnerability concerns you that existed in "k" but has been resolved in the "t" version?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA