OpenSSL closes two critical gaps
The OpenSSL project has released the last week announced versions 1.0.2h and 1.0.1t of the crypto library. They include six safety gaps, two of which are marked „high“. One of the two gaps goes back to the fix for the Lucky 13 attack from early 2013 (CVE-2013-0169). The other important security issue concerns OpenSSL versions that were released before April 2015. The security problem is a combination of an old and a new gap. The old hole was fixed in the source code on April 18, 2015, and the fix was integrated into the releases of 11 June 2015. Therefore, all versions are protected against OpenSSL 1.0.2c and 1.0.1o. By March 31, 2016, the developers were not aware that this bug fix could be exploited in combination with another vulnerability. This new gap was also closed.
For more information, please visit heise.de