OpenSSL CVE-2010-5298 / CVE-2014-0198

86 points

12 years ago

Two more vulnerabilities patched so expect to be seeing package updates soon.

The 4 year old CVE-2010-5298 is described as

"Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment."

The more concerning part obviously being data injection.

CVE-2014-0198 is described as "A null pointer dereference bug was discovered in so_ssl3_write(). An attacker could possibly use this to cause OpenSSL to crash, resulting in a denial of service."

Clearly in the wake of heartbleed OpenSSL is undergoing serious scrutiny; and hopefully this results in a wider attitude change:

Just because something is opensource doesn't mean someone has audited the code for you, it's there you can read it yourself ... 20:20 hindsight eh?

Ah well sleep is truely for quitters ... headdesk

4 comments

4 comments