RHSA-2015:1072

Affecting openssl-libs package, versions <1:1.0.1e-42.el7_1.6

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

Overview

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS protocol composes the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000) Note: This update forces the TLS/SSL client implementation in OpenSSL to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Future updates may raise this limit to 1024 bits. All openssl users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

CVE
RHSA-2015:1072
Snyk ID
SNYK-CENTOS7-OPENSSLLIBS-286243
Published
27 Jun, 2018