Old openssl libraries


#1

Hi

Nsclient++ instalation contains old openssl libraries version 1.0.1j. This version contains OpenSSL oracle padding vulnerability (CVE-2016-2107). This version is included in last version 0.5.2.

THREAT: The OpenSSL Project is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a general purpose cryptography library. OpenSSL contains the following vulnerability: A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. Affected Versions: OpenSSL 1.0.2 prior to OpenSSL 1.0.2h OpenSSL 1.0.1 prior to OpenSSL 1.0.1t IMPACT: A MITM attacker can use a padding oracle attack to decrypt traffic. SOLUTION: OpenSSL version 1.0.2h and 1.0.1t have been released to address these issues. Refer to OpenSSL Advisory (https://www.openssl.org/news/ secadv/20160503.txt) to obtain more information. For applications that bundle OpenSSL, please contact the vendor for updates. Patch: Following are links for downloading patches to fix the vulnerabilities: OpenSSL Security Advisory 3rd May 2016 (https://www.openssl.org/news/secadv/20160503.txt)

Can be openssl library updated to latest version?

Thanks