OpenSSL Security Advisory [22 Sep 2016]
========================================
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=====================================================================
Severity: High
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the "no-ocsp" build time option are not affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
อ่านเพิ่มเติม
https://www.openssl.org/news/secadv/20160922.txt