Candidate: CVE-2014-3569
PublicDate: 2014-12-24 11:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
 https://www.openssl.org/news/secadv_20150108.txt
Description:
 The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc,
 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported
 protocols, which allows remote attackers to cause a denial of service (NULL
 pointer dereference and daemon crash) via an unexpected handshake, as
 demonstrated by an SSLv3 handshake to a no-ssl3 application with certain
 error handling.  NOTE: this issue became relevant after the CVE-2014-3568
 fix.
Ubuntu-Description:
Notes:
 mdeslaur> Ubuntu packages aren't compiled with no-ssl3, so aren't actually
 mdeslaur> vulnerable to this issue.
Bugs:
 https://rt.openssl.org/Ticket/Display.html?id=3571
Priority: low
Discovered-by: Frank Schmirler
Assigned-to: mdeslaur
CVSS: 

Patches_openssl:
 upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6ce9687b5aba5391fc0de50e18779eb676d0e04d (1.0.1)
 upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b82924741b4bd590da890619be671f4635e46c2b (0.9.8)
upstream_openssl: released (0.9.8zd, 1.0.1k)
lucid_openssl: released (0.9.8k-7ubuntu8.23)
precise_openssl: released (1.0.1-4ubuntu5.21)
precise/esm_openssl: released (1.0.1-4ubuntu5.21)
trusty_openssl: released (1.0.1f-1ubuntu2.8)
trusty/esm_openssl: released (1.0.1f-1ubuntu2.8)
utopic_openssl: released (1.0.1f-1ubuntu9.1)
vivid_openssl: released (1.0.1f-1ubuntu10)
vivid/stable-phone-overlay_openssl: released (1.0.1f-1ubuntu10)
vivid/ubuntu-core_openssl: released (1.0.1f-1ubuntu10)
wily_openssl: released (1.0.1f-1ubuntu10)
xenial_openssl: released (1.0.1f-1ubuntu10)
esm-infra/xenial_openssl: released (1.0.1f-1ubuntu10)
yakkety_openssl: released (1.0.1f-1ubuntu10)
zesty_openssl: released (1.0.1f-1ubuntu10)
artful_openssl: released (1.0.1f-1ubuntu10)
bionic_openssl: released (1.0.1f-1ubuntu10)
cosmic_openssl: released (1.0.1f-1ubuntu10)
disco_openssl: released (1.0.1f-1ubuntu10)
devel_openssl: released (1.0.1f-1ubuntu10)

Patches_openssl098:
upstream_openssl098: released (0.9.8o-4squeeze18)
lucid_openssl098: DNE
precise_openssl098: ignored (reached end-of-life)
precise/esm_openssl098: DNE (precise was needed)
trusty_openssl098: ignored (reached end-of-life)
trusty/esm_openssl098: DNE (trusty was needed)
utopic_openssl098: ignored (reached end-of-life)
vivid_openssl098: ignored (reached end-of-life)
vivid/stable-phone-overlay_openssl098: DNE
vivid/ubuntu-core_openssl098: DNE
wily_openssl098: DNE
xenial_openssl098: DNE
yakkety_openssl098: DNE
zesty_openssl098: DNE
artful_openssl098: DNE
bionic_openssl098: DNE
cosmic_openssl098: DNE
disco_openssl098: DNE
devel_openssl098: DNE