Micael S. Mimoso submits Recently disclosed vulnerabilities in OpenSSL could leave systems open to denial-of-service attacks at the minimum and, at worst, remote compromises. Experts recommend that users of affected systems upgrade to OpenSSL 0.9.7c or 0.9.6k. Other applications use OpenSSL's libraries, so companies should check with their software vendors to see whether their software is affected.
All versions of OpenSSL up to and including 0.9.6j and 0.9.7b are affected, according to an advisory by the OpenSSL Project, the group that develops the software. All versions of SSLeay are also susceptible, as is any application that makes use of OpenSSL's ASN.1 library to parse untrusted data.
OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which provide encryption and other security services for Web and e-mail applications. The actual flaw lies in how OpenSSL implements the Abstract Syntax Notation One (ASN.1) data format.
The link for this article located at SearchSecurity is no longer available.
