OpenSSL Buffer Overflow Fix Released

OpenSSL versions 0.9.8f to 0.9.8o, 1.0.0, and 1.0.0a have a buffer overflow vulnerability in the TLS server extension parsing code as described in CVE-2010-3864. The problem affects OpenSSL instances which are multi-threaded and use the internal caching mechanism in Open SSL. If an OpenSSL server is multi-threaded or has its internal caching disabled (e.g. Apache HTTP and Stunnel), then according to the vendor you are OK.

No public exploits for this are known as of this writing (18 Nov 2010).

References:
http://www.openssl.org/news/secadv_20101116.txt

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

Leave a Reply