An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

• Copyright MITRE Corporation

This issue is NOT the same as the Heartbleed vulnerability but a newer one. A patch to fix this will be forthcoming

This bug affects the OpenSSL client on all systems and the OpenSSL server on ClearOS version 6.5. A patch to fix this issue will be coming soon. When it is issued, however, it will NOT have an increment of the version number. We backport patches into existing version numbers to ensure compatibility and stability of your system. What is important is the minor version number. You will be told on this page which version of OpenSSL is affected and which one it is fixed.

To see what version you are currently running type the following from a command prompt:

rpm -qi openssl

This page will be updated once the fix is available on the mirrors. Once it is, please run the following:

yum update

You may also validate your version by running:

rpm -qi openssl

• MITRE.org CVE database