A Fix for Serious Vulnerabilities Released by OpenSSL

These cookies are designed to enhance your experience when using this website and to provide you with more tailored services. We will not monitor your data when you visit our website. To meet your preferences, we will only need to use a small cookie so that you don't have to make this decision again.

This Cyber News was published on www.securityweek.com. Publication date: Tue, 07 Feb 2023 22:04:02 +0000

Cyber News related to A Fix for Serious Vulnerabilities Released by OpenSSL

CVE-2018-0688 - Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, ...
6 years ago

CVE-2018-0689 - HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September ...
6 years ago

CVE-2022-1434 - The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being ...
2 years ago

OpenSSL Is Hiring - OpenSSL is hiring for a mid level engineer to join our team. We are seeking a Software Engineer to join our team. As a Software Engineer at OpenSSL, you will play a vital role in sustaining and evolving the core cryptography and network protocol ...
1 year ago Openssl.org

Lightship Security and the OpenSSL Corporation Submit OpenSSL 3.5.4 for FIPS 140-3 Validation - Lightship Security and the OpenSSL Corporation have jointly submitted OpenSSL version 3.5.4 for FIPS 140-3 validation, marking a significant milestone in cryptographic security standards. This submission aims to ensure that OpenSSL, a widely used ...
3 months ago Cybersecuritynews.com

CVE-2021-23841 - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while ...
2 years ago

CVE-2020-1971 - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they ...
3 years ago

OpenSSL 3.3 Alpha Release Date Announced - We are pleased to announce our schedule for the April release of OpenSSL 3.3. In accordance with our adoption of biannual time-based releases following the release of OpenSSL 3.2, this will be our first time-based release. An alpha of OpenSSL 3.3 ...
1 year ago Openssl.org

Adding OpenSSL Generated Certificates to Your Server: A Comprehensive Guide - Utilizing SSL/TLS certificates to encrypt data transferred between your server and clients is one of the fundamental components of server security. The process of adding OpenSSL-generated certificates to your server will be covered in detail in this ...
1 year ago Feeds.dzone.com

OpenSSL Vulnerabilities: Risks, Exploits, and Mitigation Strategies - OpenSSL, a widely used cryptographic library, has faced numerous vulnerabilities over the years that pose significant risks to global cybersecurity. This article explores the most critical OpenSSL vulnerabilities, their impact on organizations, and ...
3 months ago Cybersecuritynews.com CVE-2024-1234 CVE-2023-5678 Advanced Persistent Threat Groups

CVE-2019-1552 - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / ...
3 years ago

Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs - Today is Microsoft's March 2024 Patch Tuesday, and security updates have been released for 60 vulnerabilities, including eighteen remote code execution flaws. This Patch Tuesday fixes only two critical vulnerabilities: Hyper-V remote code execution ...
1 year ago Bleepingcomputer.com

CVE-2021-3712 - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the ...
3 years ago

CVE-2021-23840 - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value ...
2 years ago

CVE-2020-36164 - An issue was discovered in Veritas Enterprise Vault through 14.0. On start-up, it loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file (which does not exist) at the following locations in both the ...
5 years ago

CVE-2023-2650 - Issue summary: Processing some specially crafted ASN.1 object identifiers or ...
1 year ago

CVE-2021-23839 - OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. ...
2 years ago

CVE-2021-3449 - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but ...
3 years ago

OpenSSL 3.5.0 Released with Support for Post-Quantum Cryptography - With OpenSSL 3.5.0, the project takes a bold step into the quantum era, equipping developers and organizations with tools to safeguard data against future quantum threats while maintaining backward compatibility with existing systems. The OpenSSL ...
9 months ago Cybersecuritynews.com

CVE-2021-4044 - Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return ...
2 years ago

CVE-2019-1543 - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 ...
2 years ago

Latest Information Security and Hacking Incidents - Giants in enterprise software also released their fair share of fixes; in December, Atlassian and SAP fixed a number of serious bugs. What you should know about the significant updates you may have missed this month is provided here. Apple launched ...
2 years ago Cysecurity.news CVE-2023-42890 CVE-2023-4291 CVE-2023-42898 CVE-2023-42899 CVE-2023-40094 CVE-2023-7024 CVE-2023-36019

Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day - Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. While eight remote code execution bugs were fixed, Microsoft only rated three ...
2 years ago Bleepingcomputer.com CVE-2023-20588

CVE-2017-3738 - There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult ...
3 years ago

CVE-2025-46551 - JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to ...
8 months ago