[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Thu Feb 16 12:14:55 UTC 2017


The branch master has been updated
       via  6ab0a53dba21e3d4bc94859ec6dc6624cff8f774 (commit)
      from  53ec621aa94b3b9f75cb2012178fed494819de4d (commit)


- Log -----------------------------------------------------------------
commit 6ab0a53dba21e3d4bc94859ec6dc6624cff8f774
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Feb 16 12:14:41 2017 +0000

    Add security advisory

-----------------------------------------------------------------------

Summary of changes:
 news/secadv/20170216.txt | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 news/secadv/20170216.txt

diff --git a/news/secadv/20170216.txt b/news/secadv/20170216.txt
new file mode 100644
index 0000000..da9043d
--- /dev/null
+++ b/news/secadv/20170216.txt
@@ -0,0 +1,39 @@
+
+OpenSSL Security Advisory [16 Feb 2017]
+========================================
+
+Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
+====================================================
+
+Severity: High
+
+During a renegotiation handshake if the Encrypt-Then-Mac extension is
+negotiated where it was not in the original handshake (or vice-versa) then this
+can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
+are affected.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0e
+
+This issue does not affect OpenSSL version 1.0.2.
+
+This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
+The fix was developed by Matt Caswell of the OpenSSL development team.
+
+Note
+====
+
+Support for version 1.0.1 ended on 31st December 2016. Support for versions
+0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
+receiving security updates.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20170216.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html


More information about the openssl-commits mailing list