CVE-2014-3507

Priority
Medium
Description
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before
0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote
attackers to cause a denial of service (memory consumption) via zero-length
DTLS fragments that trigger improper handling of the return value of a
certain insert function.
References
Notes
mdeslaur> openssl in lucid doesn't seem vulnerable, as code is different
Assigned-to
mdeslaur
Package
Upstream:released (0.9.8zb)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 14.10 (Utopic Unicorn):needed
Package
Upstream:released (0.9.8zb,1.0.1i)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 12.04 LTS (Precise Pangolin):released (1.0.1-4ubuntu5.17)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.0.1f-1ubuntu2.5)
Ubuntu 14.10 (Utopic Unicorn):released (1.0.1f-1ubuntu7)
Patches:
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9871417fb74dca48ea1dc85ae666a6529d113ff8 (1.0.1)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=099ccdb8084aff60efad0c91185cb465f9123859 (1.0.1)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0c37aed3f327782645d68964cd7a714df6b8880d (1.0.1)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4e0fbdc4ecc81c99cd9e63f907039b4b323e642b (1.0.1)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=445598b35e16090b676bb168807da06518658b34 (0.9.8)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fc15c440498f815e384f496c5913fe1db9f69a28 (0.9.8)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6e14e7fc19ab8c16ec7e7cb69404b96cf591a575 (0.9.8)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4c836c96c4ec507040ed9149acacddc40399155d (0.9.8)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-10-23 21:18:43 UTC (commit 8644)