Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 5046 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL updates.

NewImage
US-CERT  Notice Original release date: March 19, 2015
OpenSSL has released new updates addressing multiple vulnerabilities, one of which is classified as a high severity issue. Exploitation could allow a remote attacker to cause a cause a Denial of Service attack against the server.

Updates available include:

OpenSSL 1.0.2a for 1.0.2 users
OpenSSL 1.0.1m for 1.0.1 users
OpenSSL 1.0.0r for 1.0.0 users
OpenSSL 0.9.8zf for 0.9.8 users

------
With the DOS attack, an attacker can crash a system using that is using TLS 1.2


This thread was automatically locked due to age.
Parents
  • 0

    I know this is an old post, but looks like Sophos has ignored updating OpenSSL in the firmware.

    UTM 9.407003 - 

    >openssl version
    OpenSSL 1.0.1k 8 Jan 2015

     Client download however is: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09

    Since there have been numerous firmware updates, why has Sophos ignored updating OpenSSL to a later version?

  • 0 in reply to dark moon

    This type of question has been asked and answered regularly here.  Originally Astaro Security Linux, the UTM runs in a hardened version of Suse Linux.  No new version of one of the components is added until it's been thoroughly tested.  Unless there's a compelling reason to make that effort, it's usually easier/surer to patch the version currently in use.

    What specific vulnerability concerns you that existed in "k" but has been resolved in the "t" version?

    Cheers - Bob

Reply
  • 0 in reply to dark moon

    This type of question has been asked and answered regularly here.  Originally Astaro Security Linux, the UTM runs in a hardened version of Suse Linux.  No new version of one of the components is added until it's been thoroughly tested.  Unless there's a compelling reason to make that effort, it's usually easier/surer to patch the version currently in use.

    What specific vulnerability concerns you that existed in "k" but has been resolved in the "t" version?

    Cheers - Bob

Children
No Data