A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI (Advanced Encryption Standard New Instructions) supporting platforms [1] can be exploited in a DoS attack. Anyone using an AES-NI platform for TLS 1.2 or TLS 1.1 on OpenSSL 1.0.1c is affected. Platforms which do not support AES-NI or versions of OpenSSL which do not implement TLS 1.2 or 1.1 (for example OpenSSL 0.9.8 and 1.0.0) are not affected. [1] http://en.wikipedia.org/wiki/AES-NI#Supporting_CPUs External References: http://www.openssl.org/news/secadv_20130205.txt
Statement: Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for TLS 1.2 or 1.1.
Created openssl tracking bugs for this issue Affects: fedora-18 [bug 908032]
Fix for this is included as part of the changeset which is one of the several changesets added to address CVE-2013-0169 in OpenSSL (bug 907589): http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=125093b59f3c2a2d33785b5563d929d0472f1721