New OpenSSL versions squash LogJam bug

The OpenSSL Project has pushed another update for the eponymous open-source cryptographic library. This one plugs several moderate bugs, one low one, and LogJam (CVE-2015-4000), which can be exploited to perform MitM attacks.

“A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography,” they explained in an advisory published on Thurdsay.

“OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.”

Users are advised to upgrade to OpenSSL 1.0.2b and 1.0.1n. Also, as the advisory states, support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015, so users of those versions should also consider upgrading to one of those version.

Don't miss