OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc, (Wed, Oct 15th)

This update to the OpenSSL Library addresses 3 vulnerabilities. One of these is the POODLE vulnerability announced yesterday.

CVE-2014-3513: A memory leak in parsing DTLS SRTPmessages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the OPENSSL_NO_SRTP option. All 1.0.1 versions of OpenSSL are affected.

CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails an integrity check. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are affected.

CVE-2014-3566 (POODLE): OpenSSLnow supports TLS_FALLBACK_SCSV to prevent a MitM from downgrading an SSL connection. This affects OpenSSL 1.0.1, 1.0.0 and 0.9.8.

CVE-2014-3568: No details available yet.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.