Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: OpenSSL bulletin SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL bulletin

The OpenSSL folks have just issued an advisory affecting  DTLS in OpenSSL 0.9.8 prior to 0.9.8f and SSL_get_shared_ciphers() in both 0.9.8 prior to 0.9.8f and 0.9.7 prior to 0.9.7m.  DTLS is a UDP version of TLS described in RFC 4347.

Recommendations: If you are running 0.9.8 can't upgrade to 0.9.8f immediately, you should disable DTLS.  If you are running 0.9.7 and can't upgrade to 0.9.7m, don't use the SSL_get_shared_ciphers() routine.

Advisory: http://www.openssl.org/news/secadv_20071012.txt

CVE entries: CVE-2007-4995, CVE-2007-5135

Jim

416 Posts
ISC Handler
Oct 13th 2007

Sign Up for Free or Log In to start participating in the conversation!