14. CLARA ONLINE14
Matt Caswell matt at openssl.org
Mon Mar 16 19:05:31 UTC 2015
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.
(´▽`*)アハハ
20. Mar192015OpenSSLUpdate
20
• FREAKに関するアップデート
• 0.9.8系、SSLv3をデフォルトで無効化。1.0.x系、輸出グレードの暗号化をデフォルトで無効化。
• https://security-tracker.debian.org/tracker/CVE-2015-0209
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a
• failure to NULL a pointer freed on error.
• https://security-tracker.debian.org/tracker/CVE-2015-0285
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b
• under certain conditions a client can complete a handshake with an unseeded PRNG.
• https://security-tracker.debian.org/tracker/CVE-2015-0288
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
• crypto/x509/x509_req.c bug #0day
• https://security-tracker.debian.org/tracker/CVE-2015-0291
• 1.0.2 server DoS
• まだ情報が出てないので待ちましょう。