609622 – (CVE-2017-3733) <dev-libs/openssl-1.1.0e: Encrypt-Then-Mac renegotiation crash

Bug 609622 (CVE-2017-3733) - <dev-libs/openssl-1.1.0e: Encrypt-Then-Mac renegotiation crash

Summary: <dev-libs/openssl-1.1.0e: Encrypt-Then-Mac renegotiation crash

Status:	RESOLVED FIXED

Alias:	CVE-2017-3733

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.openssl.org/news/secadv/2...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2017-02-17 10:11 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-02-17 10:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-17 10:11:54 UTC

OpenSSL Security Advisory [16 Feb 2017]
========================================

Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
====================================================

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

This issue does not affect OpenSSL version 1.0.2.

This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-17 10:13:48 UTC

Updated version already in tree.

Version was never stable, so all done.