[openssl-commits] [web] master update
Rich Salz
rsalz at openssl.org
Tue Jan 31 18:37:45 UTC 2017
The branch master has been updated
via 3c666ac3cbb10c72e65912ff616af051a97db51e (commit)
from 8a3857ed83a03aecbc900ddb380eff53e0842d46 (commit)
- Log -----------------------------------------------------------------
commit 3c666ac3cbb10c72e65912ff616af051a97db51e
Author: Rich Salz <rsalz at akamai.com>
Date: Tue Jan 31 13:36:23 2017 -0500
Update: Not really susceptible by default
-----------------------------------------------------------------------
Summary of changes:
news/secadv/20170126.txt | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/news/secadv/20170126.txt b/news/secadv/20170126.txt
index ea38586..32a2b75 100644
--- a/news/secadv/20170126.txt
+++ b/news/secadv/20170126.txt
@@ -56,9 +56,16 @@ required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
-key that is shared between multiple clients. For example this can occur by
-default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
-similar to CVE-2015-3193 but must be treated as a separate problem.
+key that is shared between multiple clients.
+
+UPDATE 31 Jan 2017. The original text said
+ For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites.
+This is not true. DHE key re-use was removed by commit c5b831f for 1.0.2
+or commit ffaef3f for 1.1.0 on 17 December 2015
+
+Note: This issue is very similar to CVE-2015-3193 but must be treated as
+a separate problem.
OpenSSL 1.1.0 users should upgrade to 1.1.0d
OpenSSL 1.0.2 users should upgrade to 1.0.2k
More information about the openssl-commits
mailing list