Bugzilla – Bug 1022084
VUL-0: CVE-2017-3730: openssl: Bad (EC)DHE parameters cause a client crash
Last modified: 2017-01-26 15:52:12 UTC
https://www.openssl.org/news/secadv/20170126.txt Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) =========================================================== Severity: Moderate If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. OpenSSL 1.1.0 users should upgrade to 1.1.0d This issue does not affect OpenSSL version 1.0.2. Note that this issue was fixed prior to it being recognised as a security concern. This means the git commit with the fix does not contain the CVE identifier. The relevant fix commit can be identified by commit hash efbe126e3. This issue was reported to OpenSSL on 14th January 2017 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team.
https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/ write up by Guido
posted note for cve page
This issue only affects OpenSSL 1.1 series. Currently no SUSE or openSUSE version includes openssl 1.1.