CVE-2014-3569

Priority
Description
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc,
1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported
protocols, which allows remote attackers to cause a denial of service (NULL
pointer dereference and daemon crash) via an unexpected handshake, as
demonstrated by an SSLv3 handshake to a no-ssl3 application with certain
error handling. NOTE: this issue became relevant after the CVE-2014-3568
fix.
Notes
 mdeslaur> Ubuntu packages aren't compiled with no-ssl3, so aren't actually
 mdeslaur> vulnerable to this issue.
Assigned-to
mdeslaur
Package
Upstream:released (0.9.8zd, 1.0.1k)
Ubuntu 12.04 ESM (Precise Pangolin):released (1.0.1-4ubuntu5.21)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.0.1f-1ubuntu2.8)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.0.1f-1ubuntu10)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.0.1f-1ubuntu10)
Ubuntu 18.10 (Cosmic Cuttlefish):released (1.0.1f-1ubuntu10)
Ubuntu 19.04 (Disco Dingo):released (1.0.1f-1ubuntu10)
Patches:
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6ce9687b5aba5391fc0de50e18779eb676d0e04d (1.0.1)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b82924741b4bd590da890619be671f4635e46c2b (0.9.8)
Package
Upstream:released (0.9.8o-4squeeze18)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
More Information

Updated: 2019-01-14 21:15:39 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)