LSWS 4.2.12 Fixes Newest OpenSSL Vulnerability
This latest OpenSSL vulnerability affects all versions of OpenSSL, so it is suggested that all users upgrade to 4.2.12.
A New OpenSSL Vulnerability
Well, at least we all know how to upgrade OpenSSL now.
Right on the heels of Heartbleed, Japanese researcher Masashi Kikuchi has recently discovered and reported the CCS Injection vulnerability (CVE-2014-0224). There is some disagreement over whether this bug is more or less dangerous than Heartbleed, though most seem to think it is less likely to be exploited.
Here is Kikuchi’s explanation of the bug.
Fixed in 4.2.12
We have released our newest version of LiteSpeed Web Server with a fix for this bug. The easiest way to upgrade is using the lsup script:
/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.12
Unlike Heartbleed, which had been introduced to the OpenSSL code relatively recently, this vulnerability exists in all (or all recent) versions of OpenSSL. This means that we recommend all users to upgrade to 4.2.12 when they have a chance.