[web] master update

Matt Caswell matt at openssl.org
Tue Feb 26 19:07:15 UTC 2019 

The branch master has been updated
       via  4b05bbb28879460b203a4c99ed0c70c12c63a265 (commit)
      from  6f4edf054e16bec8cb590de4b77c523334ebfe28 (commit)


- Log -----------------------------------------------------------------
commit 4b05bbb28879460b203a4c99ed0c70c12c63a265
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 26 16:49:35 2019 +0000

    Clarify the advisory regarding AEAD ciphersuites
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/web/pull/121)

-----------------------------------------------------------------------

Summary of changes:
 news/secadv/20190226.txt | 4 +++-
 news/vulnerabilities.xml | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/news/secadv/20190226.txt b/news/secadv/20190226.txt
index 8a4a6dd..64cdbe2 100644
--- a/news/secadv/20190226.txt
+++ b/news/secadv/20190226.txt
@@ -18,7 +18,7 @@ In order for this to be exploitable "non-stitched" ciphersuites must be in use.
 Stitched ciphersuites are optimised implementations of certain commonly used
 ciphersuites. Also the application must call SSL_shutdown() twice even if a
 protocol error has occurred (applications should not do this but some do
-anyway).
+anyway). AEAD ciphersuites are not impacted.
 
 This issue does not impact OpenSSL 1.1.1 or 1.1.0.
 
@@ -28,6 +28,8 @@ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,
 with additional investigation by Steven Collison and Andrew Hourselt. It was
 reported to OpenSSL on 10th December 2018.
 
+Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted.
+
 Note
 ====
 
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 1732db5..5286f54 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -47,7 +47,7 @@
       Stitched ciphersuites are optimised implementations of certain commonly used
       ciphersuites. Also the application must call SSL_shutdown() twice even if a
       protocol error has occurred (applications should not do this but some do
-      anyway).
+      anyway). AEAD ciphersuites are not impacted.
     </description>
     <advisory url="/news/secadv/20190226.txt"/>
     <reported source="Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"/>

More information about the openssl-commits mailing list