Description
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello
omits the signature_algorithms extension (where it was present in the
initial ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and a
denial of service attack. A server is only vulnerable if it has TLSv1.2 and
renegotiation enabled (which is the default configuration). OpenSSL TLS
clients are not impacted by this issue. All OpenSSL 1.1.1 versions are
affected by this issue. Users of these versions should upgrade to OpenSSL
1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL
1.1.1k (Affected 1.1.1-1.1.1j).
Notes
| mdeslaur | does not affect 1.0.2
edk2 doesn't implement a server, so not vulnerable to this issue |
Package
Priority: Low
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | released
(1.1.1-1ubuntu2.1~18.04.9)
|
| Ubuntu 16.04 FIPS Compliant: | not-affected
(1.0.2g-1ubuntu4.19)
|
| Ubuntu 20.04 LTS: | released
(1.1.1f-1ubuntu2.3)
|
| Ubuntu 16.04 FIPS Certified: | not-affected
(1.0.2g-1ubuntu4.19)
|
| Ubuntu 21.10: | released
(1.1.1j-1ubuntu3)
|
| Ubuntu 16.04 ESM: | not-affected
(1.0.2g-1ubuntu4.19)
|
| Ubuntu 18.04 FIPS Certified: | released
(1.1.1-1ubuntu2.1~18.04.9)
|
| Ubuntu 20.04 FIPS Certified: | released
(1.1.1f-1ubuntu2.3)
|
| Ubuntu 18.04 FIPS Compliant: | released
(1.1.1-1ubuntu2.1~18.04.9)
|
| Ubuntu 22.04 LTS: | released
(1.1.1j-1ubuntu3)
|
| Ubuntu 14.04 ESM: | not-affected
|
| Ubuntu 20.04 FIPS Compliant: | released
(1.1.1f-1ubuntu2.3)
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | not-affected
(1.0.2n-1ubuntu5.6)
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | released
(10.18-0ubuntu0.18.04.1)
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | released
(12.8-0ubuntu0.20.04.1)
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | released
(13.4-1)
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | deferred
(2019-08-23)
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 16.04 ESM: | needs-triage
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Updated: 2022-04-25 00:56:11 UTC (commit ecc1009cb19540b950de59270950018900f37f15)