Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 609622 (CVE-2017-3733) - <dev-libs/openssl-1.1.0e: Encrypt-Then-Mac renegotiation crash
Summary: <dev-libs/openssl-1.1.0e: Encrypt-Then-Mac renegotiation crash
Alias: CVE-2017-3733
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2017-02-17 10:11 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-02-17 10:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 10:11:54 UTC
OpenSSL Security Advisory [16 Feb 2017]

Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

This issue does not affect OpenSSL version 1.0.2.

This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 10:13:48 UTC
Updated version already in tree.

Version was never stable, so all done.