Problem with OpenSSL Patches of September 22, 2016
Last updated on: November 3, 2022
Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.
The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.
The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.
When will QIDs be published for these?
^ YEP!!!!!
QID 38639 OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20160926) covers both CVE-2016-6309 and CVE-2016-7052. QID 38639 was released to our customers on September 27, 2016. Customers will need to ensure their Qualys scanners are on-line and receiving updates. Support can assist if any Qualys scanner is out-of-date.
Many OS vendors are starting to release updates for the OpenSSL issue. For example, Fedora recently released an update (September 29). This can be detected by using QID 276167 : Fedora Security Update for openssl (FEDORA-2016-a555159613).