Problem with OpenSSL Patches of September 22, 2016

Amol Sarwate

Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.

The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.

The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.

Show Comments (3)

Comments

Your email address will not be published.

  1. QID 38639 OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20160926) covers both CVE-2016-6309 and CVE-2016-7052. QID 38639 was released to our customers on September 27, 2016. Customers will need to ensure their Qualys scanners are on-line and receiving updates. Support can assist if any Qualys scanner is out-of-date.

    Many OS vendors are starting to release updates for the OpenSSL issue. For example, Fedora recently released an update (September 29). This can be detected by using QID 276167 : Fedora Security Update for openssl (FEDORA-2016-a555159613).