OpenSSL 1.0.1l released

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar
Site Admin
Posts: 472
Joined: Thu Jan 01, 1970 5:00 am

OpenSSL 1.0.1l released

Post by df » Wed Oct 15, 2014 9:49 pm

OpenSSL 1.0.1l was just released. Although the only major change in this version from 1.0.1k was "Build fixes for the Windows and OpenVMS platforms", we still upgraded to it just because it's a good habit to always have the most current version. So all the servers/nodes are upgraded to the latest OpenSSL.

The entire release notes list for 1.0.1 is always available at

For historical reasons, here's last version's post:

OpenSSL 1.0.1k was released a few days ago, so everything has been upgraded again. Just to clarify, we are on the OpenSSL mailing list so we were made aware of it as soon as it was released, and we upgraded all the servers for it the same day. It's just this forum post that's coming out a little late, not the upgrade to 1.0.1k.

This version fixes the following vulnerabilities:
DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
DH client certificates accepted without verification [Server] (CVE-2015-0205)
Certificate fingerprints can be modified (CVE-2014-8275)
Bignum squaring may produce incorrect results (CVE-2014-3570)

More information is at
OpenSSL 1.0.1j was released about an ago. All the nodes have been upgraded to this version and the OpenVPN processes have all been restarted.
(OpenSSH has also been upgraded to 6.7p1 while we were in there too, just because :D, even though that's firewalled off).

OpenSSL version 1.0.1j fixes the following vulnerabilities:
SRTP Memory Leak (CVE-2014-3513)
Session Ticket Memory Leak (CVE-2014-3567)
SSL 3.0 Fallback protection (The POODLE thing [CVE-2014-3566], among others)
Build option no-ssl3 is incomplete (CVE-2014-3568)

For more information, visit