Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
OpenSSL has fixed vulnerabilities in its implementation of the Datagram Transport Layer Security (DTLS) protocol that allowed secure communications to be decrypted.
The fix was one of six others contained in the latest versions of the OpenSSL library released this week.
The DTLS hole, detailed (pdf) by Kenny Paterson and Nadhem Alfardan under the 'Padding Oracle Attack' allowed an attacker to view encrypted data in plain text.
Timing differences in the cipher-block chaining process allowed dependenices between blocks of ciphertext to be overcome.
Other fixed vulnerabilities include three denial of service bugs, a double-free, and an Uninitialized SSL 3.0 Padding flaw.
The latter flaw was limited in scope and meant that in each record up to 15 bytes of uninitialized memory could be sent, encrypted, to SSL peers.
It arose because OpenSSL failed to clear the bytes used as block cipher padding in SSL 3.0 records. It did not affect TLS.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.