The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 prior to 1.0.2a allows remote malicious users to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openssl openssl 1.0.2 |
Heads up for July 9 security vulnerability fix
Sysadmins and anyone else with systems running OpenSSL code: a new version of the open-source crypto library will be released this week to "fix a single security defect classified as 'high' severity." The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0.0 or 0.9.8 series. OpenSSL is a widely used library that provides encrypted HTTPS connections for countless websites, as well as other secure services. "The OpenSSL projec...
Is that all you’ve got, ClientHello? I put on my brown trousers for this?
OpenSSL patched a “high” severity flaw as part of a patch batch on Thursday that turned out to be nowhere near as scary as widely feared. Fortunately, fears the software update might address another Heartbleed have been confounded. The worst of the flaws – dubbed ClientHello (CVE-2015-0291) – is simply a DoS risk, as an advisory from the developers explains. The other “high” (the highest severity classification of flaw in the OpenSSL world) vulnerability in the batch turned up to ref...