Red Hat warns of hole in OpenSSL

"In an advisory, Linux distributor Red Hat has warned that a security vulnerability in OpenSSL can potentially be remotely exploited to break into a server. Affected versions include OpenSSL 0.9.8f to 0.9.8o, 1.0.0 and 1.0.0a. Updating to OpenSSL 0.9.8p or 1.0.0b closes the hole.

"The problem is caused by a race condition in the OpenSSL code for parsing TLS extensions. In certain circumstances a heap overflow can potentially be triggered if multiple sessions try to set a host name via a TLS extension. This allows attackers to inject up to 255 bytes of code into the application's heap and to execute it."

Complete Story

Related Stories:

• The EFF SSL Observatory(Aug 06, 2010)
• OpenSSL 1.0.0 released(Mar 30, 2010)
• Attacks Against SSL(Jan 31, 2010)
• Highlight Domain & Subdomain for SSL websites in Firefox(May 28, 2009)
• Attack on SSL Users Discovered, Tool Sources Released(Feb 25, 2009)
• Fedora 7 to 10 Benchmarks(Oct 31, 2008)
• After Debian's Epic SSL Blunder, A World of Hurt for Security Pros(May 22, 2008)