OpenSSL Security Advisory [05 Jun 2014]
SSL/TLS MITM vulnerability (CVE-2014-0224)
อ่านข่าวเพิ่มเติม
The team behind the OpenSSL Project sounded that warning in a June 5 security alert, noting that all versions of the OpenSSL client produced since the project began in 1998 - and recent versions of their server code - are vulnerable to a man-in-the-middle attack that would force servers and clients to use weak keys, which would allow attackers to decrypt traffic. They’ve also released new versions of OpenSSL to patch the bugs and security flaws.
ทาง Redhat
https://access.redhat.com/security/cve/CVE-2014-0224
Details[INDENT]It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.[/INDENT]
สำหรับ Debian
https://www.debian.org/security/2014/dsa-2950
สำหรับ CentOS
CentOS5: http://lists.centos.org/pipermail/centos-announce/2014-June/020346.html
CentOS6: [CentOS-announce] CESA-2014:0626 Important CentOS 6 openssl098e Update
ผมทำการ update แล้ว วันนี้ได้แบบนี้
[COLOR=#222222][FONT=Verdana]rpm -qa | grep openssl-1.0 | xargs rpm -q --changelog $1 | head
[/FONT][/COLOR]* Mon Jun 02 2014 Tomรกลก Mrรกz <tmraz@redhat.com> 1.0.1e-16.14
- fix CVE-2010-5298 - possible use of memory after free
- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment
- fix CVE-2014-0198 - possible NULL pointer dereference
- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet
[B][COLOR=#ff0000]- fix CVE-2014-0224 - SSL/TLS MITM vulnerability[/COLOR][/B]
- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH
* Mon Apr 07 2014 Tomรกลก Mrรกz <tmraz@redhat.com> 1.0.1e-16.7
[COLOR=#222222][FONT=Verdana]- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
[/FONT][/COLOR]