As per the upstream advisory: OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. Acknowledgements: Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Felix Gröbert and Ivan Fratrić of Google as the original reporters of this issue.
Created attachment 901376 [details] Upstream patch
Fixed upstream in OpenSSL 1.0.1h, 1.0.0m and 0.9.8za. External References: https://www.openssl.org/news/secadv_20140605.txt
Upstream commits: OpenSSL-1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8011cd56e39a433b1837465259a9bd24a38727fb OpenSSL-0.9.8: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=141a5482fdd1944804cc342c1c443362eed8501b
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1096233]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1096234]
This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html
Statement: This issue does not affect the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. This issue does not affect the openssl098e as shipped with Red Hat Enterprise Linux 6.
openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html
Created mingw32-openssl tracking bugs for this issue: Affects: epel-5 [bug 1127888]