Security Advisory: OpenSSL Vulnerability
Posted by Kevin Stange on 09 July 2015 02:07 PM |
|
A vulnerability has recently been disclosed in the OpenSSL library, affecting versions 1.0.1n and 1.0.2b and later. This vulnerability could allow a malicious user to trick software into believing a certificate is trusted when it should not be. It has been assigned the ID CVE-2015-1793 in the Common Vulnerabilities and Exposures database. This issue primarily affects client applications (such as web browsers and email clients) and services that validate client certificate chains (such as certificate-based VPN services, email encryption systems, and web sites that use a certificate to log you in), so most common server configurations are likely not affected. We have evaluated supported operating systems and confirmed that CentOS 5, 6 and 7, and Debian Squeeze (6), Wheezy (7), and Jessie (8) are not impacted because they do not provide a version of OpenSSL that includes the affected feature. Windows does not include OpenSSL software by default. If you are running LiteSpeed web server versions 4.2.23, 5.0 or 5.0.1, you are affected. You can see what version you are using by running the command: /usr/local/lsws/bin/lshttpd -v If you have one of the affected versions, we recommend that you upgrade. If you are running 4.2.23 or older, please upgrade to 4.2.24 using the following command: /usr/local/lsws/admin/misc/lsup.sh -v 4.2.24 If you are running version 5.0 or 5.0.1, please upgrade to 5.0.2 instead using this command: /usr/local/lsws/admin/misc/lsup.sh -v 5.0.2 Please note that we do not recommend upgrading from the 4.2 series to the 5.0 series at this time. For more information, please see the following references:
If you are running any other applications which provide their own copy of OpenSSL, we recommend that you check with the application vendor to see if you need to apply a security patch. If you have any questions or need assistance, please contact us and we'll be happy to help. | |