OpenSSL patches two high-severity flaws

OpenSSL has released versions 1.0.2h and 1.0.1t of its open source cryptographic library, fixing multiple security vulnerabilities that can lead to traffic being decrypted, denial-of-service attacks, and arbitrary code execution. One of the high-severity vulnerabilities is actually a hybrid of two low-risk bugs and can cause OpenSSL to crash.

Two seemingly unrelated bugs can be chained together to create a serious security problem. The first bug in CVE-2016-2108 is an issue with the ASN.1 parser that triggers a buffer underflow and performs an out-of-bounds write if zero is represented as a negative value. While the flaw was quietly patched last year, it wasn’t considered a security vulnerability because an attacker would not be able to get the parser to create the value. However, there was an unrelated bug where the ASN.1 parser could misinterpret a large universal tag as a negative zero value.

To read this article in full or to leave a comment, please click here

Story added 4. May 2016, content source with full text you can find at link above.

OpenSSL patches two high-severity flaws

More antivirus and malware news?

Ads

Security news

Malware

Security

IT security

About site

Search Terms Tips

Recent New Tips

Recent Posts