------------------------------------------------------------------------------ SUMMARY : Upcoming syslog-ng PE releases to fix OpenSSL vulnerability PACKAGE : syslog-ng Premium Edition VERSION : all versions DATE : Jun 12, 2014 ------------------------------------------------------------------------------ DESCRIPTION: OpenSSL has released updates patching 7 vulnerabilities, which may allow an attacker to decrypt or modify traffic between a vulnerable client and server, cause a denial of service condition, or remotely execute arbitrary code. All maintained syslog-ng PE versions (4LTS, 5LTS, 5F1) are affected by the following CVEs: CVE-2014-0221 CVE-2014-0224 (a.k.a the CCS Injection Vulnerability) CVE-2014-0195 CVE-2014-0198 CVE-2014-5298 CVE-2014-3470 CVE-2014-0076 A security update of the affected versions shall be released as follows: * 5.0.5a by the end of 2014Q2 * 4.0.7b in July 2014 * 5.1.1a in July 2014 As an immediate prevention against attacks based on the CCS Injection vulnerability, you should consider configuring two-way authentication for TLS-encrypted connections. Best Regards, BalaBit IT Security You are receiving this email because you showed interest in our products. Unsubscribe <http://www.balabit.com/newsletter/unsubscribe/4398019b4f2681fdce75b07177a6376942acc171/70ad6e5f080b1071> from the syslog-ng Premium Edition Technical Newsletter.