Updating openssl due to security scan
Researchers from several universities and institutions conducted a study that found an issue in the TLS protocol.In a report the researchers report two attack methods.FREAK stands for "Factoring RSA-EXPORT Keys." The vulnerability dates back to the 1990s, when the US government banned selling crypto software overseas, unless it used export cipher suites which involved encryption keys no longer than 512-bits.It turns out that some modern TLS clients - including Apple's Secure Transport and Open SSL - have a bug in them.But the risk from RC4 only grows: More cryptanalysis will surface over time.FREAK is a man-in-the-middle (MITM) vulnerability discovered by a group of cryptographers at INRIA, Microsoft Research and IMDEA.Heartbleed may be exploited regardless of whether the party using a vulnerable Open SSL instance for TLS is a server or a client.
Open SSL 1.0.1g released on 7th of April 2014 fixes the bug.
Moreover, there is reason to believe that the NSA has broken RC4, their so-called "big breakthrough." Disabling RC4 has several ramifications.
One, users with shitty browsers such as Internet Explorer on Windows XP will use 3DES in lieu. Thus, disabling RC4 makes TLS 1.0 users susceptible to that attack, by moving them to AES-CBC (the usual server-side BEAST "fix" is to prioritize RC4 above all else).
By breaking one 1024-bit prime, one could eavesdrop on 18 percent of the top one million HTTPS domains.
Breaking a second prime would open up 66 percent of VPNs and 26 percent of SSH servers.