OpenSSL Releases Security Update CISA
https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/openssl-releases-security-update

>OpenSSL has released a security update to address a vulnerability affecting all versions of 1.0.2 and 1.1.1 released before version 1.1.1i. An attacker could exploit this vulnerability to cause a denial-of-service condition.

openssl.org/news/secadv/20201208.txt
https://www.openssl.org/news/secadv/20201208.txt

>EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
>======================================================
>
>Severity: High
>
>The X.509 GeneralName type is a generic type for representing different types
>of names. One of those name types is known as EDIPartyName. OpenSSL provides a
>function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
>to see if they are equal or not. This function behaves incorrectly when both
>GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
>may occur leading to a possible denial of service attack.
>
>OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
>1) Comparing CRL distribution point names between an available CRL and a CRL
> distribution point embedded in an X509 certificate
>2) When verifying that a timestamp response token signer matches the timestamp
> authority name (exposed via the API functions TS_RESP_verify_response and
> TS_RESP_verify_token)
>
>If an attacker can control both items being compared then that attacker could
>trigger a crash.
>...

#OpenSSL #Security #Update