PublicDateAtUSN: 2013-02-08 Candidate: CVE-2013-0166 PublicDate: 2013-02-08 19:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166 http://www.openssl.org/news/secadv_20130204.txt https://ubuntu.com/security/notices/USN-1732-1 Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. Ubuntu-Description: Notes: Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0166 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699889 Priority: medium Discovered-by: Stephen Henson Assigned-to: mdeslaur CVSS: Patches_openssl: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=66e8211c0b1347970096e04b18aa52567c325200 (0.9.8) upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ebc71865f0506a293242bd4aec97cdc7a8ef24b0 (1.0.0) upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7 (1.0.1) upstream_openssl: released (0.9.8y, 1.0.0k, 1.0.1d) hardy_openssl: released (0.9.8g-4ubuntu3.20) lucid_openssl: released (0.9.8k-7ubuntu8.14) oneiric_openssl: released (1.0.0e-2ubuntu4.7) precise_openssl: released (1.0.1-4ubuntu5.6) quantal_openssl: released (1.0.1c-3ubuntu2.1) raring_openssl: released (1.0.1c-4ubuntu4) saucy_openssl: released (1.0.1c-4ubuntu4) trusty_openssl: released (1.0.1c-4ubuntu4) trusty/esm_openssl: released (1.0.1c-4ubuntu4) devel_openssl: released (1.0.1c-4ubuntu4) Patches_openssl098: upstream_openssl098: released (0.9.8y) hardy_openssl098: DNE lucid_openssl098: DNE oneiric_openssl098: ignored (reached end-of-life) precise_openssl098: released (0.9.8o-7ubuntu3.2) quantal_openssl098: ignored (reached end-of-life) raring_openssl098: ignored (reached end-of-life) saucy_openssl098: released (0.9.8o-7ubuntu3.2.13.10.1) trusty_openssl098: released (0.9.8o-7ubuntu3.2.14.04.1) trusty/esm_openssl098: DNE (trusty was released [0.9.8o-7ubuntu3.2.14.04.1]) devel_openssl098: released (0.9.8o-7ubuntu4)