Security Alerts & News
by Tymoteusz A. Góral

History
#1698 OpenSSL patches high-severity DoS bug
OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that that security support will end Dec. 31.

Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is affected, earlier versions are not. Users should upgrade to OpenSSL 1.1.0c.

The vulnerability was privately disclosed by Robert Swiecki, an information security engineer at Google.

The flaw affects TLS connections using ChaCha20-Poly1305, OpenSSL said; ChaCha20-Poly1305 is a ciphersuite in AEAD mode, and was recently standardized.

“TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash,” OpenSSL said. “This issue is not considered to be exploitable beyond a DoS.”
Read more
#1705 CrySis ransomware master decryption keys released
#1704 Australian banks dismiss Android NFC past in Apple Pay negotiations
#1703 Snapchat, Skype among apps not protecting users’ privacy
#1702 AdultFriendFinder network hack exposes 412 million accounts
#1701 Smartphone WiFi signals can leak your keystrokes, passwords, and PINs
#1700 Russian banks hit by cyber-attack
#1699 BlackNurse low-volume DoS attack targets firewalls
#1698 OpenSSL patches high-severity DoS bug
#1697 Tech support scammers bite Chrome users with forgotten 2014 bug
#1696 New attack reportedly lets 1 modest laptop knock big servers offline
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12