OpenSSL crypto bypass flaw (TLS)

clownjugglar

New Member
"OpenSSL's ChangeCipherSpec processing has a serious vulnerability," the Lepidum advisory stated. "This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. There are risks of tampering with the exploits on contents and authentication information over encrypted communication via web browsing, e-mail and VPN, when the software uses the affected version of OpenSSL."
Quote from ArsTechnica article: http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/

edit: Edit to note that Debian Wheezy, CentOS and Arch Linux have already been patched.

For those interested, Debian Security mailing list post: https://lists.debian.org/debian-security-announce/2014/msg00129.html
 
Last edited by a moderator:
Top