Showing posts with label OpenSSL. Show all posts
Showing posts with label OpenSSL. Show all posts

Thursday, September 22, 2016

Security notification: OpenSSL OCSP Status Request Extension Unbounded Memory Growth (CVE-2016-6304)


[UPDATE 2016-10-13]

BCH images have been updated properly. You can now launch new servers that mitigate the vulnerability.

 [UPDATE 2016-10-07]

 All the affected cloud images, virtual machines and native installers have been successfully patched.

 If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images.

 [UPDATE 2016-09-26]

 The OpenSSL team announced the release of version 1.0.2j, which patches a missing CRL sanity check issue affecting only version 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. (CVE-2016-7052)

 To update to the new OpenSSL version, please follow the instructions in our documentation system. 

 The Bitnami Team will continue working on updating the Cloud Images, Virtual Machines and Native Installers using the latest released version.

 [UPDATE 2016-09-23]

 The Bitnami Team is happy to announce that our images on Google, Azure, Oracle (Ubuntu) and AWS Marketplace images have been properly updated. Additionally, we will continue to work on releasing the images for our all of our cloud platform partners, virtual machines and the native installers.

 ----

 A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160922.txt

 Any Bitnami-packaged applications using affected OpenSSL versions prior to 1.0.1u, 1.0.2i and 1.1.0a are vulnerable. 

 To secure your server, you need to update the OpenSSL version included in the system and the OpenSSL library included into the Bitnami installation. Please take a moment to update your existing installations of Bitnami-packaged applications by following the instructions in our documentation system

 If you have any questions about this process, please post to our community support forum and we will be happy to help!
Labels: ,

Tuesday, May 3, 2016

Security notification: OpenSSL 1.0.2h / 1.0.1t

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160503.txt

There are two high security issues that do not affect Bitnami installations:

1. Memory corruption in the ASN.1 encoder (CVE-2016-2108).

  • All of the currently released Bitnami stacks use an OpenSSL version greater than the affected versions: 1.0.2c or 1.0.1o.

2. Padding oracle in AES-NI CBC MAC check (CVE-2016-2107). 

  • The OpenSSL we ship with the Bitnami installers, virtual machines and cloud images does not enable AES-NI encryption.

The Bitnami team will continue working on updating OpenSSL to 1.0.2h for all Bitnami apps, however, to be clear, the two security issues above do not affect our applications that are currently available.
Labels: , ,

Tuesday, March 1, 2016

Security Notification: OpenSSL Cross-Protocol Attack on TLS Using SSLv2 (DROWN) (CVE-2016-0800 and CVE-2016-0703)

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160301.txt

All the Bitnami-packaged applications are NOT VULNERABLE because Apache disables SSLv2 and EXPORT algorithms for HTTPS by default.

Please take a moment to update existing Bitnami cloud images or virtual machines by following the instructions on our wiki:

https://wiki.bitnami.com/security/2016-03-01_OpenSSL_Cross-protocol_attack_on_TLS_using_SSLv2_(DROWN)_(CVE-2016-0800_and_CVE-2016-0703)

To check whether your server is vulnerable, use the following automatic DROWN Attack checker:

https://drownattack.com/#check

If you have any questions about this process, please post to our community support forum and we will be happy to help!
Labels: , ,

Friday, July 10, 2015

Security Notification: OpenSSL Alternative chains certificate forgery CVE-2015-1793



A new security vulnerability was recently discovered in certain versions of OpenSSL. You can find out more about the vulnerability here: https://www.openssl.org/news/secadv_20150709.txt

Any Bitnami-packaged applications using affected versions of OpenSSL that were installed or launched after June 11th, 2015 are vulnerable.

While this vulnerability is not as critical as previous ones like Heartbleed, we believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. To this end, our team worked to update all of the affected applications available through Bitnami and other cloud marketplaces that distribute Bitnami images within 32 hours of the report.

We also created a patch that can be applied to fix this vulnerability in applications that are already deployed. Please take a moment to update existing installations of Bitnami-packaged applications by following the instructions in our wiki:

https://wiki.bitnami.com/security/2015-07-09_Alternative_chains_certificate_forgery_CVE-2015-1793

For a list of affected applications, please see after the jump or click here.

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Read more »
Labels: , , ,
Subscribe to: Posts (Atom)


Copyright © 2005-2024 Broadcom.
All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.