Alt text


安全等级: 高危
恶意的客户端可以发送过大的OCSP状态请求延期。如果该客户端不断请求重新谈判,发送一个大的 OCSP 状态请求每延长一次,那么
即使他们不支持 OCSP。建立使用”无 ocsp”生成时间选项不会受到影响。

Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support.

OpenSSL 1.1.0 应该升级到 1.1.0a
OpenSSL 1.0.2 应该升级到 1.0.2i
OpenSSL 1.0.1 应该升级到 1.0.1u

SSL_peek() hang on empty record (CVE-2016-6305)

Severity: Moderate
OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
OpenSSL 1.1.0 users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.


more infoclick1
more infoclick2
more infoclick3