FYI...
OpenSSL 1.0.1u, 1.0.2i, 1.1.0a released
- https://www.openssl.org/news/secadv/20160922.txt
22 Sep 2016 - "Severity: High ...
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u ..."
- https://www.openssl.org/news/secadv/20160926.txt
26 Sep 2016 - "Severity: Critical
OpenSSL 1.1.0 users should upgrade to 1.1.0b ...
OpenSSL 1.0.2i users should upgrade to 1.0.2j ..."
> https://isc.sans.edu/diary.html?storyid=21509
2016-09-22 - "OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).
The update fixes -14- different vulnerabilities... With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported..."
(See chart @ the isc URL above.)
___
- http://www.securitytracker.com/id/1036878
CVE Reference: CVE-2016-6304
Sep 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.0.1, 1.0.2, 1.1.0...
Impact: A remote authenticated user can consume excessive memory resources on the target system.
Solution: The vendor has issued a fix (1.0.1u, 1.0.2i, 1.1.0a)...
- http://www.securitytracker.com/id/1036879
CVE Reference: CVE-2016-6305
Sep 22 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 1.1.0...
Impact: A remote authenticated user can cause the target service to hang.
Solution: The vendor has issued a fix (1.1.0a)...
- http://www.securitytracker.com/id/1036885
CVE Reference: CVE-2016-6302, CVE-2016-6303, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052
Updated: Sep 26 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can cause the target service or application to crash.
Solution: The vendor has issued a fix (1.0.1u, 1.0.2i, 1.1.0a).
[Editor's note: On September 26, 2016, the vendor reported that two of the fixed versions contain vulnerabilities. Version 1.1.0a is affected by a use-after-free memory error (CVE-2016-6309), reported by Robert Swiecki (Google Security Team). Version 1.0.2i is affected by a CRL processing null pointer exception (CVE-2016-7052), reported by Bruce Stephens and Thomas Jakobi. The revised fixes are versions 1.1.0b and 1.0.2j.]
___
- https://www.us-cert.gov/ncas/current...curity-Updates
Last revised: Sep 26, 2016