OpenSSL patches infinite-loop DoS bug in certificate verification
When it comes to writing loops in your code... never sit on the fence!
OpenSSL is an open-source toolkit for encrypted communications, so its vulnerabilities and security updates can affect software, servers, and data protection.
Search across headline titles and summaries.
Background for this topic.
OpenSSL is an open-source cryptographic library and command-line toolkit used to implement Transport Layer Security (TLS), the protocol that protects network connections. It provides cryptographic algorithms, key generation, certificate and X.509 handling, and APIs used by operating systems, servers, applications, and embedded devices. Although commonly associated with “SSL,” the obsolete SSL protocols should not be enabled; modern deployments use TLS.
OpenSSL vulnerabilities can affect many dependent applications, particularly when flaws involve memory handling, cryptographic operations, certificate parsing, or TLS protocol processing. Security teams need an inventory of software and devices that include the library, because updating a package or operating-system component may be necessary even when OpenSSL is not directly visible. Advisories should be assessed against the deployed version, enabled features, and exposure, while private keys require strict protection and certificate validation must be configured correctly. Vulnerability remediation may also require restarting services or replacing processes that continue to use an older library in memory.
When it comes to writing loops in your code... never sit on the fence!
OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions. [...]
Bad data can throw vulnerable apps and services for an infinite loop A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve. …
The maintainers of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates