OpenSSL has closed four dangerous vulnerabilities

    The OpenSSL Project has released a patch of its open source encryption package to fix the recently discovered vulnerability of POODLE SSL and others. Updates are available for OpenSSL 0.9.8zc, 1.0.0o and 1.0.1j.

    In total, OpenSSL specialists in the latest version of the popular cryptographic library fixed 4 vulnerabilities, one of which was qualified as a high-risk vulnerability.

    Two were linked to POODLE (Padding Oracle On Downgraded Legacy Encryption), which provided data such as cookies via a secure connection. Two more initiated memory leaks and opened up the possibility for a DoS attack.

    According to a research paper published Tuesday by Google security experts Bodo Moller, Ty Ty Duon and Krzysztof Kotowicz, POODLE was the result of a problem in the 15-year-old version 3.0 of the SSL protocol. Although many sites have adopted the Transport Layer Security (TLS) protocol, the main web browsers, including Chrome and Firefox, still provide SSL 3.0 support when they cannot connect to the server using a more modern protocol.

    Also popular now: