OpenSSL fixed a critical flaw introduced on 22nd September patch

strong passwords in linux

OpenSSL released a patch on 22nd September 2016 to address a lot of security holes. But four days later, with a security advisory, the team announced that this patch contains a critical flaw; the issue only affects OpenSSL 1.1.0a.

Using their own words:

“The patch applied to address CVE-2016-6307 resulted in an issue where if a
message larger than approx 16k is received then the underlying buffer to store
the incoming message is reallocated and moved. Unfortunately a dangling pointer
to the old location is left which results in an attempt to write to the
previously freed location. This is likely to result in a crash, however it
could potentially lead to execution of arbitrary code.”

Robert Święcki, who works for Google Security Team, was the first reporting the issue to OpenSSL Project.

Of course, developers released a fixed version, 1.1.0b, which every 1.1.0 user should install to avoid critical problems. In that security advisory, they also announced a fixed version of 1.0.2i, in which CRL sanity check was omitted. Users of 1.0.2i should upgrade to 1.0.2j.

  • I profited 104000 bucks previous year by doing an online job from home and I did that by work­ing part-time for 3+ hrs daily. I used a business model I was introduced by this company i found online and I am so excited that I was able to earn such great money. It’s really user friendly a­­n­­d I am just so thankful that i learned about it. This is what i did… STATICTAB.COM/r2tyhgi