CVE-2011-3210
Published: 22 September 2011
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.
Notes
| Author | Note |
|---|---|
| jdstrand | from upstream: applications are only affected by the CRL checking vulnerability if they enable OpenSSL's internal CRL checking which is off by default. For example by setting the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL The following packages in main use this X509_V_FLAG_CRL_CHECK* curl, dovecot, exim4, freeradius, ipsec-tools, krb5, libio-socket-ssl-perl, libnet-ssleay-perl, likewise-open, mysql-5.1, nmap, openldap, openvpn, postgresql-9.1, ruby1.8, squid, telepathy-gabble, telepathy-salut, wpasupplicant the above need to also support ECDH to be affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssl Launchpad, Ubuntu, Debian |
hardy |
Released
(0.9.8g-4ubuntu3.15)
|
| lucid |
Released
(0.9.8k-7ubuntu8.8)
|
|
| maverick |
Released
(0.9.8o-1ubuntu4.6)
|
|
| natty |
Released
(0.9.8o-5ubuntu1.2)
|
|
| oneiric |
Not vulnerable
(1.0.0e-2ubuntu1)
|
|
| upstream |
Released
(1.0.0e)
|
|
|
Patches: upstream: http://cvs.openssl.org/chngview?cn=21334 upstream: http://cvs.openssl.org/chngview?cn=21335 |
||