Gentoo update for OpenSSL

Published: 2018-11-09 09:46:06 | Updated: 2018-11-09 09:46:19
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-0732
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software Gentoo Linux
Vulnerable software versions Gentoo Linux -
Vendor URL Gentoo

Security Advisory

1) Improper input validation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of large prime values by the affected software during key agreement operations in a Transport Layer Security (TLS) handshake using an Ephemeral Diffie-Hellman (DHE) based cipher suite. A remote attacker can send a large prime value from a malicious OpenSSL server to a targeted OpenSSL client and cause the client to stop responding while generating a key for the prime value.

Remediation

Update the affected packages.
dev-libs/openssl to version: 1.0.2o-r6

External links

https://security.gentoo.org/glsa/201811-03

Back to List