FortiClient Vulnerability

OpenSSL CVE-2014-8176 Buffer Overflow Vulnerability

Description

Severity: ModerateThis vulnerability does not affect current versions of OpenSSL. Itexisted in previous OpenSSL versions and was fixed in June 2014.If a DTLS peer receives application data between the ChangeCipherSpecand Finished messages, buffering of such data may cause an invalidfree, resulting in a segmentation fault or potentially, memorycorruption.This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8.OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zaOpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.This issue was originally reported on March 28th 2014 inhttps://rt.openssl.org/Ticket/Display.html?id=3286 by PraveenKariyanahalli, and subsequently by Ivan Fratric and Felix GroebertThe fix for this issue can be identified by commits bcc31166 (1.0.1),b79e6e3a (1.0.0) and 4b258e73 (0.9.8).NoteAs per our previous announcements and our Release Strategy1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for thesereleases will be provided after that date. Users of these releases are advisedto upgrade.ReferencesURL for this Security Advisory:https://www.openssl.org/news/secadv_20150611.txtNote: the online version of the advisory may be updated with additionaldetails over time.For details of OpenSSL severity classifications please see:https://www.openssl.org/about/secpolicy.html