Description: "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)."
It only affects <1.1 but as long as we have this version is repository we are affected. Updated summary to reflect current status in Gentoo.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=143e8d174e14e346f2c37e8a31a4be211ac3e24c commit 143e8d174e14e346f2c37e8a31a4be211ac3e24c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:27:07 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:39:36 +0000 [ GLSA 202210-02 ] OpenSSL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/741570 Bug: https://bugs.gentoo.org/809980 Bug: https://bugs.gentoo.org/832339 Bug: https://bugs.gentoo.org/835343 Bug: https://bugs.gentoo.org/842489 Bug: https://bugs.gentoo.org/856592 Bug: https://bugs.gentoo.org/876787 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-02.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=530086715f82de12009538347725dbfd14e6b0a8 commit 530086715f82de12009538347725dbfd14e6b0a8 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-14 03:47:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:52:19 +0000 profiles: mask <openssl-1.1.1 Bug: https://bugs.gentoo.org/876787 Bug: https://bugs.gentoo.org/741570 Bug: https://bugs.gentoo.org/809980 Bug: https://bugs.gentoo.org/832339 Bug: https://bugs.gentoo.org/835343 Bug: https://bugs.gentoo.org/842489 Bug: https://bugs.gentoo.org/856592 Closes: https://github.com/gentoo/gentoo/pull/22909 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
GLSA released, all done!