Linux Today: Linux News On Internet Time.

Red Hat warns of hole in OpenSSL

Nov 17, 2010, 15:35 (0 Talkback[s])

"In an advisory, Linux distributor Red Hat has warned that a security vulnerability in OpenSSL can potentially be remotely exploited to break into a server. Affected versions include OpenSSL 0.9.8f to 0.9.8o, 1.0.0 and 1.0.0a. Updating to OpenSSL 0.9.8p or 1.0.0b closes the hole.

"The problem is caused by a race condition in the OpenSSL code for parsing TLS extensions. In certain circumstances a heap overflow can potentially be triggered if multiple sessions try to set a host name via a TLS extension. This allows attackers to inject up to 255 bytes of code into the application's heap and to execute it."

Complete Story

Related Stories: