漏洞类别:General remote services
漏洞等级: 
漏洞信息
The OpenSSL Project is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a general purpose cryptography library.
OpenSSL contains the following vulnerabilities:
- OCSP Status Request extension unbounded memory growth (CVE-2016-6304) - SSL_peek() hang on empty record (CVE-2016-6305) - SWEET32 Mitigation (CVE-2016-2183) - OOB write in MDC2_Update() (CVE-2016-6303) - Malformed SHA512 ticket DoS (CVE-2016-6302) - OOB write in BN_bn2dec() (CVE-2016-2182) - OOB read in TS_OBJ_print_bio() (CVE-2016-2180) - Pointer arithmetic undefined behaviour (CVE-2016-2177) - Constant time flag not preserved in DSA signing (CVE-2016-2178) - DTLS buffered message DoS (CVE-2016-2179) - DTLS replay protection DoS (CVE-2016-2181) - Certificate message OOB reads (CVE-2016-6306) - Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) - Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)
Affected Versions:
OpenSSL 1.1.0 prior to 1.1.0a OpenSSL 1.0.2 prior to 1.0.2i OpenSSL 1.0.1 prior to 1.0.1u
漏洞危害
A malicious remote user may be able to execute arbitrary code as well as cause a denial of service on the targeted host.
解决方案
OpenSSL version 1.1.0a, 1.0.2i and 1.0.1u have been released to address these issues. Refer to OpenSSL Advisory to obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论