OpenSSL Vulnerability Patched

Thursday, February 16, 2017 @ 05:02 PM gHale


OpenSSL released version 1.1.0e, which patched a high severity denial of service (DoS) vulnerability.

Reported by Joe Orton of Red Hat at the end of January, the issue does not affect OpenSSL 1.0.2.

RELATED STORIES
OpenSSL Clears 4 Holes
Heartbleed Risks Alive: Report
OpenSSL Patches DoS Vulnerability
BIND Patched, But Still Vulnerable

The flaw is an “Encrypt-Then-Mac renegotiation crash.”

“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” the OpenSSL Project said in an advisory.

Along the lines of supporting various versions, the OpenSSL Project reminded users versions 1.0.1, 1.0.0 and 0.9.8 no long receive support and they no longer get security updates. Version 1.0.2 has a long-term support (LTS) date of December 31, 2019, and there are no plans for a 1.0.3 release.



Leave a Reply

You must be logged in to post a comment.