CVE-2015-3216
Published: 7 July 2015
Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.
Notes
Author | Note |
---|---|
seth-arnold | The vulnerable code in question was introduced as a distro-patch by Red Hat to address FIPS locking issues. Our packages don't share the locking fix in question, and upstream fixed the FIPS locking via a different method. |
Priority
Status
Package | Release | Status |
---|---|---|
openssl Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
precise |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
openssl098 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
precise |
Not vulnerable
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|