This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL updates.

US-CERT Notice Original release date: March 19, 2015
OpenSSL has released new updates addressing multiple vulnerabilities, one of which is classified as a high severity issue. Exploitation could allow a remote attacker to cause a cause a Denial of Service attack against the server.

Updates available include:

OpenSSL 1.0.2a for 1.0.2 users
OpenSSL 1.0.1m for 1.0.1 users
OpenSSL 1.0.0r for 1.0.0 users
OpenSSL 0.9.8zf for 0.9.8 users

------
With the DOS attack, an attacker can crash a system using that is using TLS 1.2

This thread was automatically locked due to age.

0 BarryG over 10 years ago

More info:
https://www.openssl.org/news/secadv_20150319.txt
"OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)"

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 NewImage over 10 years ago

Looks like fixed in the new 9.310
Import OpenSSL security updates from 1.0.1m
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 10 years ago in reply to NewImage

Looks like fixed in the new 9.310
Import OpenSSL security updates from 1.0.1m

Should be GA release next week. SR looks good so far.
Cancel
Vote Up 0 Vote Down

Cancel
0 dark moon over 8 years ago

I know this is an old post, but looks like Sophos has ignored updating OpenSSL in the firmware.

UTM 9.407003 -

>openssl version
OpenSSL 1.0.1k 8 Jan 2015

Client download however is: library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09

Since there have been numerous firmware updates, why has Sophos ignored updating OpenSSL to a later version?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to dark moon

This type of question has been asked and answered regularly here. Originally Astaro Security Linux, the UTM runs in a hardened version of Suse Linux. No new version of one of the components is added until it's been thoroughly tested. Unless there's a compelling reason to make that effort, it's usually easier/surer to patch the version currently in use.

What specific vulnerability concerns you that existed in "k" but has been resolved in the "t" version?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel