More OpenSSL badness

Alan DeKok aland at
Thu Sep 22 17:06:25 CEST 2016

  Yet another list of vulnerabilities has been released for OpenSSL.

  The big one is this:

> A malicious client can send an excessively large OCSP Status Request extension.
> If that client continually requests renegotiation, sending a large OCSP Status
> Request extension each time, then there will be unbounded memory growth on the
> server. This will eventually lead to a Denial Of Service attack through memory
> exhaustion. Servers with a default configuration are vulnerable even if they do
> not support OCSP.

  <sigh>  Time for everyone to upgrade OpenSSL.  Again.

  Alan DeKok.

More information about the Freeradius-Users mailing list