By Eduard Kovacs on February 16, 2017
A high severity denial-of-service (DoS) vulnerability was patched on Thursday in OpenSSL with the release of version 1.1.0e.
The flaw, tracked as CVE-2017-3733, has been described as an “Encrypt-Then-Mac renegotiation crash.” The security hole, reported by Joe Orton of Red Hat on January 31, does not affect OpenSSL 1.0.2.
“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” the OpenSSL Project said in its advisory.
Powered by WPeMatico