We try to stay on top of security fixes for WebCrossing servers. This new release includes an update to the OpenSSL library we use.
To get all geeky, the fixed issues were: calling the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.
We recommend you keep your site secure and if you are using locked and secure servers to update to this latest build.
The latest release version is now WebCrossing 6.4-b48fd52 2020-06-30.
All self-hosted customers with valid support and maintenance contracts can download this new version at no cost.
If you are a self-hosted customer and have a valid support and maintenance contract, please contact support for access to the new server. If your support and maintenance contract has expired, please contact us to renew so we can provide you with this important update.