Bug 609622 (CVE-2017-3733)

Summary:	<dev-libs/openssl-1.1.0e: Encrypt-Then-Mac renegotiation crash
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	base-system
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openssl.org/news/secadv/20170216.txt
Whiteboard:	~1 [noglsa]
Package list:		Runtime testing required:	---

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-17 10:11:54 UTC

OpenSSL Security Advisory [16 Feb 2017]
========================================

Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
====================================================

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

This issue does not affect OpenSSL version 1.0.2.

This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-17 10:13:48 UTC

Updated version already in tree.

Version was never stable, so all done.