[syslog-ng-announce] Upcoming syslog-ng PE releases to fix OpenSSL vulnerability
devel at balabit.hu
devel at balabit.hu
Mon Jun 16 15:03:25 CEST 2014
------------------------------------------------------------------------------
SUMMARY : Upcoming syslog-ng PE releases to fix OpenSSL vulnerability
PACKAGE : syslog-ng Premium Edition
VERSION : all versions
DATE : Jun 12, 2014
------------------------------------------------------------------------------
DESCRIPTION:
OpenSSL has released updates patching 7 vulnerabilities, which may allow an attacker to decrypt or modify traffic between a vulnerable client and server, cause a denial of service condition, or remotely execute arbitrary code.
All maintained syslog-ng PE versions (4LTS, 5LTS, 5F1) are affected by the following CVEs:
CVE-2014-0221
CVE-2014-0224 (a.k.a the CCS Injection Vulnerability)
CVE-2014-0195
CVE-2014-0198
CVE-2014-5298
CVE-2014-3470
CVE-2014-0076
A security update of the affected versions shall be released as follows:
* 5.0.5a by the end of 2014Q2
* 4.0.7b in July 2014
* 5.1.1a in July 2014
As an immediate prevention against attacks based on the CCS Injection vulnerability, you should consider configuring two-way authentication for TLS-encrypted connections.
Best Regards,
BalaBit IT Security
You are receiving this email because you showed interest in our products.
Unsubscribe <http://www.balabit.com/newsletter/unsubscribe/4398019b4f2681fdce75b07177a6376942acc171/70ad6e5f080b1071>
from the syslog-ng Premium Edition Technical Newsletter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 199 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng-announce/attachments/20140616/3b309172/attachment.pgp
More information about the syslog-ng-announce
mailing list