OpenSSL: Multiple vulnerabilities — GLSA 201702-07

Multiple vulnerabilities have been found in OpenSSL, the worst of which might allow attackers to access sensitive information.

Affected Packages

dev-libs/openssl on all architectures
Affected versions < 1.0.2k
Unaffected versions >= 1.0.2k

Background

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.

Description

Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker is able to crash applications linked against OpenSSL or could obtain sensitive private-key information via an attack against the Diffie-Hellman (DH) ciphersuite.

Workaround

There is no known workaround at this time.

Resolution

All OpenSSL users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2k"
 

References

Release Date
February 14, 2017

Latest Revision
February 14, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries