Users of the open source OpenSSL encryption and authentication software are encouraged to update their existing installations to address a range of vulnerabilities that can be exploited to enable man in the middle interception and denial of service attacks.
Among the fixes is a patch for the recent Logjam vulnerability that could let attackers with a man in the middle position in networks downgrade Transport Layer Security (TLS) secured connections to weak 512-bit key length export grade cryptography.
Google security researcher Emilia Käsper and Debian Linux distribution developer Kurt Roeckx added protection for OpenSSL TLS clients against the Logjam vulnerability, rejecting encryption negotiation protocol handshakes with Diffie-Hellman key exchanges shorter than 768 bits, a limit that will be increased to 1024 bits in future releases.
Logjam affects OpenSSL 1.0.1 and 1.0.2 and users should upgrade to versions 1.0.2b and 1.0.1n respectively, the project said in its security advisory.
Five other OpenSSL flaws, with the Common Vulnerabilities and Exposures classifications CVE-2015-1788 to 1791 and the older CVE-2014-8176 with a severity rating of moderate are also addressed by the latest set of patches.
These moderate severity vulnerabilities can lead to denial of service attacks against OpenSSL systems and in one case, a program segmentation fault and potentially memory corruption.
The OpenSSL project recommends the following upgrade paths for users of different versions of its software:
- 1.0.2 users should upgrade to 1.0.2b
- 1.0.1 users should upgrade to 1.0.1n
- 1.0.0 users should upgrade to 1.0.0s
- 0.9.8 users should upgrade to 0.9.8zg
OpenSSL users are reminded that versions 0.9.8 and 1.0.0 will no longer be supported from December this year, and are advised to upgrade to newer variants.