admin Site Admin
Joined: 03 Mar 2002 Posts: 1306
|
Posted: Tue Mar 15, 2022 10:18 pm Post subject: About the latest OpenSSL vulnerability |
|
|
Dear all,
Today (March 15, 2022), OpenSSL project has reported a vulnerability in one of its core computation algorithms that mainly affects reading elliptic curves certificates. Some specially crafted certificates and/or private keys based on elliptic curves can send OpenSSL (and its calling process) in an infinite loop:
https://www.openssl.org/news/openssl-1.1.1-notes.html
As you know Abyss Web Server uses OpenSSL to handle parts of its TLS/SSL support. Hopefully this particular vulnerability is very unlikely to affect it: Contrarily to Web browsers, Abyss Web Server does not validate external certificates as part of its normal operation. It also does not accept client certificates.
Maliciously crafted certificates that could trigger this bug have almost no chance to be encountered by a Web server.
Despite this low risk, we are going to release in the very near future a version which includes a fixed OpenSSL version. _________________ Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com |
|