2017-02-16 - OpenSSL Vulnerabilities
====================================

*Feb 16, 2017*, OpenSSL announced the following security advisories: https://www.openssl.org/news/secadv/20170216.txt


Advisory CVEs
-------------

* CVE-2017-3733 - **Encrypt-Then-Mac renegotiation crash** (Severity:High)

  OpenSSL 1.1.0 users should upgrade to 1.1.0e

  This issue does not affect OpenSSL version 1.0.2.

Please see the security bulletin above for patch, upgrade, or suggested work around information.

Action
------

xCAT uses OpenSSL for client-server communication but **does not** ship it.

It is highly recommended to keep your OpenSSL levels up-to-date with the indicated versions in the security bulletins to prevent any potential security threats. Obtain the updated software packages from your Operating system distribution channels.