OpenSSL released version 1.1.0e, which patched a high severity denial of service (DoS) vulnerability.
Reported by Joe Orton of Red Hat at the end of January, the issue does not affect OpenSSL 1.0.2.
The flaw is an “Encrypt-Then-Mac renegotiation crash.”
“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” the OpenSSL Project said in an advisory.
Along the lines of supporting various versions, the OpenSSL Project reminded users versions 1.0.1, 1.0.0 and 0.9.8 no long receive support and they no longer get security updates. Version 1.0.2 has a long-term support (LTS) date of December 31, 2019, and there are no plans for a 1.0.3 release.