SECURITY VULNERABILITY NOTIFICATION

On September 26, 2016, the OpenSSL organization announced the following security vulnerabilities in the OpenSSL library, https://www.openssl.org/news/secadv/20160926.txt

 

Fix Use After Free for large message sizes (CVE-2016-6309)

OpenSSL Severity: Critical

Impact: Only impacts OpenSSL 1.1.0 users.  Our ODBC drivers are not impacted.

 

Missing CRL sanity check (CVE-2016-7052)

OpenSSL Severity: Moderate

Impact: This issue only affects OpenSSL 1.0.2i.

Our ODBC drivers are not impacted.

 

 IMPACT ASSESSMENT

The Progress DataDirect ODBC on-premise drivers, SequeLink and OpenAccess products support OpenSSL 1.0.2h.  Based on our assessment of these vulnerabilities, those products are not affected by the vulnerabilities listed above, and will not be updated with the latest version of the OpenSSL library.