Madrigal xTuple / PostBooks Mobile Client Update
Paladin Logic is pleased to announce a Madrigal xTuple / PostBooks mobile client update for the Android platform. Recently, several security flaws were discovered in OpenSSL. The community responded quickly and fixed, tested, and deployed the fixes to OpenSSL.
The new OpenSSL 1.0.1h release fixes seven different security defects in the popular security software. According to the OpenSSL Security Advisory – and taken straight from the referenced web page – they are:
- SSL/TLS MITM vulnerability (CVE-2014-0224)
- An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
- DTLS recursion flaw (CVE-2014-0221)
- By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.
- DTLS invalid fragment vulnerability (CVE-2014-0195)
- A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.
- Only applications using OpenSSL as a DTLS client or server affected.
- SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
- A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
- SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
- A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service.
- This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
- Anonymous ECDH denial of service (CVE-2014-3470)
- OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
References: This Security Advisory: secadv_20140605.txt
If you have already purchased the Madrigal xTuple / PostBooks Mobile Client – thank you – and you will receive notice that it is time to update your app.
If you have not yet purchased Madrigal then you ought to hurry. Only 1 month remains in our introductory offer of half price for the first 60 days!