This morning, the OpenSSL project team released the security patch 1.1.0c for three security vulnerabilities discovered in OpenSSL 1.1.0. This patches fix one “high severity,” one “moderate severity,” and one “low severity” vulnerabilities.
None of these bugs affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
For a full list of vulnerabilities, see the OpenSSL Security Advisory [10 Nov 2016].
The high severity vulnerability affects TLS connects that use the *-CHACHA20-POLY1305 cipher suites. These type of TLS connections are vulnerable to a DoS attack where the attacker sends a large corrupted payload, which could crash OpenSSL.
This issue only affects those running an instance of OpenSSL 1.1.0.
This issue only affects those running an instance of OpenSSL 1.1.0.
This issue only affects those running an instance of OpenSSL 1.1.0 and 1.0.2.*
*Note: Although this bug is also found in OpenSSL 1.0.2, the severity of the issue and likelihood of it being exploited are so low that OpenSSL will patch it in the next 1.0.2 release.Support for OpenSSL 1.0.1 will end on December 31, 2016. The OpenSSL community will no longer issue security updates for 1.0.1 after that date. If you are still running an instance of OpenSSL 1.0.1, make plans now to upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before 2016 ends.