The popular OpenSSL encryption scheme underlying much of the Web’s security protocols is finally turning a corner.
With Heartbleed now well behind it, the open-source SSL/TLS security protocol released a project road map laying out its short- and long-term goals, and it has issued nine security fixes to the encryption scheme. In a Security Advisory, OpenSSL detailed patches for issues discovered over the last two months by security researchers and developers from companies including Codenomicon, Google and LogMeIn.
(Related: OpenSSL’s project road map)
The issued fixed in the security patch include
• Information leak in printing functions: Applications that echo syntax highlighting output to attackers no longer leak information from the stack.
• Crash with SRP cipher suite in Server Hello message: Malicious servers can no longer crash clients with null pointer dereferences or DDoS attacks.
• Race condition in ssl_parse_serverhello_tlsext: Server format extension no longer writes up to 255 byes of free memory if a multi-thread client connects to a malicious server.
• Double Free when processing DTLS packets: Attackers can no longer use DDoS attacks to force error conditions when processing DTLS packets due to twice-freed memory.
• DTLS memory exhaustion: Attackers can no longer use DDoS attacks to force OpenSSL to consume excess memory during DTLS handshakes.
• DTLS memory leak from zero-length fragments: Attackers can no longer DDoS OpenSSL to leak memory through DTLS packets.
• OpenSSL DTLS anonymous DDoS: DTLS clients enabling anonymous cipher suites are no longer vulnerable to malicious server DDoS attacks.
• OpenSSL TLS protocol downgrade attack: Patched a SSL/TLS server code flaw that allowed man-in-the-middle attackers to force a downgrade to TLS 1.0.
• SRP buffer overrun: Malicious clients and servers can no longer send invalid SRP parameters to overrun internal buffers.
For more information, the full security advisory is available here.
