Red Hat Security Blog: October 2014 archives

  • Can SSL 3.0 be fixed? An analysis of the POODLE attack.

    SSL and TLS are cryptographic protocols which allow users to securely communicate over the Internet. Their development history is no different from other standards on the Internet. Security flaws were found with older versions and other improvements were required as technology progressed (for example elliptic curve cryptography or ECC), which led to the creation of newer versions of the protocol. It is easier to write newer standards, and maybe even implement them in code, than to adapt...
    Posted 2014-10-20T14:27:34+00:00 - 0
  • POODLE - An SSL 3.0 Vulnerability (CVE-2014-3566)

    Red Hat Product Security has been made aware of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. To mitigate this vulnerability, it is recommended that you explicitly disable SSL 3.0 in favor of TLS 1.1 or later in all affected packages. A brief history Transport Layer Security (TLS) and its...
    Posted 2014-10-15T14:44:40+00:00 - 0
  • The Source of Vulnerabilities, How Red Hat finds out about vulnerabilities.

    Red Hat Product Security track lots of data about every vulnerability affecting every Red Hat product. We make all this data available on our Measurement page and from time to time write various blog posts and reports about interesting metrics or trends. One metric we've not written about since 2009 is the source of the vulnerabilities we fix. We want to answer the question of how did Red Hat Product Security first hear about each vulnerability? Every vulnerability that affects a Red Hat...
    Posted 2014-10-08T13:30:48+00:00 - 0