More OpenSSL badness
Alan DeKok
aland at deployingradius.com
Thu Sep 22 17:06:25 CEST 2016
Yet another list of vulnerabilities has been released for OpenSSL.
The big one is this:
> A malicious client can send an excessively large OCSP Status Request extension.
> If that client continually requests renegotiation, sending a large OCSP Status
> Request extension each time, then there will be unbounded memory growth on the
> server. This will eventually lead to a Denial Of Service attack through memory
> exhaustion. Servers with a default configuration are vulnerable even if they do
> not support OCSP.
https://www.openssl.org/news/secadv/20160922.txt
<sigh> Time for everyone to upgrade OpenSSL. Again.
Alan DeKok.
More information about the Freeradius-Users
mailing list