The branch master has been updated via 4b05bbb28879460b203a4c99ed0c70c12c63a265 (commit) from 6f4edf054e16bec8cb590de4b77c523334ebfe28 (commit)
- Log ----------------------------------------------------------------- commit 4b05bbb28879460b203a4c99ed0c70c12c63a265 Author: Matt Caswell <m...@openssl.org> Date: Tue Feb 26 16:49:35 2019 +0000 Clarify the advisory regarding AEAD ciphersuites Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/web/pull/121) ----------------------------------------------------------------------- Summary of changes: news/secadv/20190226.txt | 4 +++- news/vulnerabilities.xml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/news/secadv/20190226.txt b/news/secadv/20190226.txt index 8a4a6dd..64cdbe2 100644 --- a/news/secadv/20190226.txt +++ b/news/secadv/20190226.txt @@ -18,7 +18,7 @@ In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do -anyway). +anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0. @@ -28,6 +28,8 @@ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. +Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted. + Note ==== diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 1732db5..5286f54 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -47,7 +47,7 @@ Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do - anyway). + anyway). AEAD ciphersuites are not impacted. </description> <advisory url="/news/secadv/20190226.txt"/> <reported source="Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"/>