[web] master update
Matt Caswell
matt at openssl.org
Tue Feb 26 19:07:15 UTC 2019
The branch master has been updated
via 4b05bbb28879460b203a4c99ed0c70c12c63a265 (commit)
from 6f4edf054e16bec8cb590de4b77c523334ebfe28 (commit)
- Log -----------------------------------------------------------------
commit 4b05bbb28879460b203a4c99ed0c70c12c63a265
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 26 16:49:35 2019 +0000
Clarify the advisory regarding AEAD ciphersuites
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/web/pull/121)
-----------------------------------------------------------------------
Summary of changes:
news/secadv/20190226.txt | 4 +++-
news/vulnerabilities.xml | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/news/secadv/20190226.txt b/news/secadv/20190226.txt
index 8a4a6dd..64cdbe2 100644
--- a/news/secadv/20190226.txt
+++ b/news/secadv/20190226.txt
@@ -18,7 +18,7 @@ In order for this to be exploitable "non-stitched" ciphersuites must be in use.
Stitched ciphersuites are optimised implementations of certain commonly used
ciphersuites. Also the application must call SSL_shutdown() twice even if a
protocol error has occurred (applications should not do this but some do
-anyway).
+anyway). AEAD ciphersuites are not impacted.
This issue does not impact OpenSSL 1.1.1 or 1.1.0.
@@ -28,6 +28,8 @@ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,
with additional investigation by Steven Collison and Andrew Hourselt. It was
reported to OpenSSL on 10th December 2018.
+Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted.
+
Note
====
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 1732db5..5286f54 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -47,7 +47,7 @@
Stitched ciphersuites are optimised implementations of certain commonly used
ciphersuites. Also the application must call SSL_shutdown() twice even if a
protocol error has occurred (applications should not do this but some do
- anyway).
+ anyway). AEAD ciphersuites are not impacted.
</description>
<advisory url="/news/secadv/20190226.txt"/>
<reported source="Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"/>
More information about the openssl-commits
mailing list