[syslog-ng-announce] Upcoming syslog-ng PE releases to fix OpenSSL vulnerability

devel at balabit.hu devel at balabit.hu
Mon Jun 16 15:03:25 CEST 2014

SUMMARY             : Upcoming syslog-ng PE releases to fix OpenSSL vulnerability
PACKAGE             : syslog-ng Premium Edition
VERSION             : all versions
DATE                : Jun 12, 2014


OpenSSL has released updates patching 7 vulnerabilities, which may allow an attacker to decrypt or modify traffic between a vulnerable client and server, cause a denial of service condition, or remotely execute arbitrary code.

All maintained syslog-ng PE versions (4LTS, 5LTS, 5F1) are affected by the following CVEs:

CVE-2014-0224 (a.k.a the CCS Injection Vulnerability)

A security update of the affected versions shall be released as follows:
* 5.0.5a by the end of 2014Q2
* 4.0.7b in July 2014
* 5.1.1a in July 2014

As an immediate prevention against attacks based on the CCS Injection vulnerability, you should consider configuring two-way authentication for TLS-encrypted connections.

Best Regards,

BalaBit IT Security

You are receiving this email because you showed interest in our  products.

Unsubscribe <http://www.balabit.com/newsletter/unsubscribe/4398019b4f2681fdce75b07177a6376942acc171/70ad6e5f080b1071>

from the syslog-ng Premium Edition Technical Newsletter.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 199 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng-announce/attachments/20140616/3b309172/attachment.pgp 

More information about the syslog-ng-announce mailing list