If you're curious to read the full official release announcement from the OpenSSL team it's available here (.txt document). Rather than replicate all the details in this post, it's probably best to simply point curious folks to the full advisory notification.
Our editorial perspective on this "i" release by the OpenSSL team is threefold:
- First, most of the patched bugs appear to be relatively moderate, and look to involve potential denial-of-service or forced-crash attacks that can be accomplished by throwing various malformed protocol parameters back and forth during or prior to secure session initiation. It's good to see these patched, even though none seem life & death on the surface.
Second, the one patched vuln that seems most noteworthy to us is CVE-2014-3511, titled as "OpenSSL TLS protocol downgrade attack." These kinds of downgrade attacks are widespread and can be deadly effective, in particular in assisting in successful man in the middle (MiTM) attacks. We require current OpenSSL libraries in order to initiate cryptostorm sessions with clients, and we don't allow below-current TLS versions to be used in network sessions exactly because of the presence of so many effective downgrade-based attack vectors. So, this particular attack wouldn't work against cryptostorm network sessions (prior to the "i" version patch), but we're still glad to see it patched since many 'naive' security services do not force current protocol adherence & thus are vulnerable to these attack categories. Because many people (wrongly) think of downgrade attacks as not 'sexy,' they don't get as much attention as (for example) Heartbleed. This is unfortunate; it's good to see that changing, nowadays.
third, we note that Google has submitted a majority of the vulns that were patched during this OpenSSL update cycle, as well as several of the patches (src) themselves. Good on Google! More specifically, we see that the inestimable Adam Langley, who currently calls Google home, is firsthand involved in a number of these vulns & submitted himself several of the patches as well. Adam is a treasured resource within the cryptographic community, not just for his deep elliptical curve expertise but for his overall knowledge set and notable willingness to share that knowledge widely with the larger community. Seeing Adam's fingerprints on these current OpenSSL patches is a truly heartening sign of positive changes, post-Heartbleed, in the depth of support provided to the OpenSSL project by not only the broad crypto community, but also by companies like Google and credentialled wise ones like Adam. So, in a word: hooray!
That's about it for this patch. Folks running *nix systems client-side might want to bring their OpenSSL versions current via whatever appropriate distro procedures are applicable (yum, apt-get, etc.). Some distros will handle this automatically, but it's worth double-checking to be sure.
- ~ cryptostorm_admin