As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software.
The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites.
The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL.
The severity of the flaw is rated “High” and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack.
The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash.
“Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected,” the team explains.
The vulnerability also only affects OpenSSL 1.1.0.
The OpenSSL 1.1.0c update also fixes a low severity flaw (CVE-2016-7055), which is related to the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than, 256 bits.
The issue was initially not considered as a security problem, but experts have demonstrated that the vulnerability can be exploited by attackers in very specific circumstances.
This vulnerability affects OpenSSL version 1.0.2, but due to a low severity of the flaw, the team did not issue an update at this time. The fix will be included in the next 1.0.2 release. So, users are recommended to wait for it.
All the users are strongly recommended to upgrade their software to OpenSSL version 1.1.0c.
Like in its previous announcements, the OpenSSL Project has reminded its users that the project will no longer support OpenSSL version 1.0.1 after December 31, 2016 and will receive no security updates after this deadline.