OpenSSL 安全通報連發...

熱騰騰的「OpenSSL Security Advisory [05 Jun 2014]」:

  • SSL/TLS MITM vulnerability (CVE-2014-0224)
  • DTLS recursion flaw (CVE-2014-0221)
  • DTLS invalid fragment vulnerability (CVE-2014-0195)
  • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
  • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
  • Anonymous ECDH denial of service (CVE-2014-3470)

這太熱鬧了,第一個 security issue 可以在 MITM 的情況下,強迫選用比較差的 cipher:

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers.

第三個則有可能直接爆破執行程式碼:

A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.

接下來幾天對 SA 來說又是無止盡的升級地獄...

One thought on “OpenSSL 安全通報連發...”

  1. 我是一個22歲的在校女學生

    覺得自身條件還算是ok的啦

    在網路尋找好心的人幫助呢

    我無靠行 單純個人租屋賺扣扣

    本人照 http://album.blog.yam.com/ntmd779

    喜歡我 對小妹有興趣 可賴我qq19921128

    地點

    不相信的那種大哥哥 就別找我

    因為小妹性格不好!! 不然直接刪除!!vgnbgn

Leave a Reply

Your email address will not be published. Required fields are marked *