Your one-stop web resource providing safety and security information to manufacturers

OpenSSL released version 1.1.0e, which patched a high severity denial of service (DoS) vulnerability.

Reported by Joe Orton of Red Hat at the end of January, the issue does not affect OpenSSL 1.0.2.

OpenSSL Clears 4 Holes
Heartbleed Risks Alive: Report
OpenSSL Patches DoS Vulnerability
BIND Patched, But Still Vulnerable

The flaw is an “Encrypt-Then-Mac renegotiation crash.”

“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” the OpenSSL Project said in an advisory.

Cyber Security

Along the lines of supporting various versions, the OpenSSL Project reminded users versions 1.0.1, 1.0.0 and 0.9.8 no long receive support and they no longer get security updates. Version 1.0.2 has a long-term support (LTS) date of December 31, 2019, and there are no plans for a 1.0.3 release.

Pin It on Pinterest

Share This