22 Sep
2016
22 Sep
'16
11:06 a.m.
Yet another list of vulnerabilities has been released for OpenSSL. The big one is this:
A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP.
https://www.openssl.org/news/secadv/20160922.txt <sigh> Time for everyone to upgrade OpenSSL. Again. Alan DeKok.