CVE-2013-4353: Input Validation
First published: Mon Jan 06 2014(Updated: )
A flaw was found in the way OpenSSL handled TLS handshakes. A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. This flaw only affects OpenSSL versions 1.0.1 through 1.0.1e; earlier versions are not affected and this is corrected in upstream version 1.0.1f [1],[2]. [1] <a href="http://www.openssl.org/news/vulnerabilities.html#2013-4353">http://www.openssl.org/news/vulnerabilities.html#2013-4353</a> [2] <a href="http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631">http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL OpenSSL | =1.0.1 | |
| OpenSSL OpenSSL | =1.0.1-beta1 | |
| OpenSSL OpenSSL | =1.0.1-beta2 | |
| OpenSSL OpenSSL | =1.0.1-beta3 | |
| OpenSSL OpenSSL | =1.0.1a | |
| OpenSSL OpenSSL | =1.0.1b | |
| OpenSSL OpenSSL | =1.0.1c | |
| OpenSSL OpenSSL | =1.0.1d | |
| OpenSSL OpenSSL | =1.0.1e | |
| redhat/openssl | <1.0.1 | 1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openssl.org/news/vulnerabilities.html#2013-4353
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1049061
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1049062
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee2ffc2
- https://rhn.redhat.com/errata/RHBA-2013-1585.html
- https://rhn.redhat.com/errata/RHSA-2014-0015.html
- https://rhn.redhat.com/errata/RHSA-2014-0041.html
- https://rhn.redhat.com/errata/RHSA-2014-0416.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1049058
- http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=refs/heads/OpenSSL_1_0_1-stable
- http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=197e0ea817ad64820789d86711d55ff50d71f631
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00065.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00067.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00070.html
- http://rhn.redhat.com/errata/RHSA-2014-0015.html
- http://rhn.redhat.com/errata/RHSA-2014-0041.html
- http://www-01.ibm.com/support/docview.wss?uid=isg400001841
- http://www-01.ibm.com/support/docview.wss?uid=isg400001843
- http://www.debian.org/security/2014/dsa-2837
- http://www.openssl.org/news/vulnerabilities.html
- http://www.splunk.com/view/SP-CAAAMB3
- http://www.ubuntu.com/usn/USN-2079-1
- http://git.openssl.org/gitweb/?p=openssl.git%3Ba=blob_plain%3Bf=CHANGES%3Bhb=refs/heads/OpenSSL_1_0_1-stable
- http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=197e0ea817ad64820789d86711d55ff50d71f631
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4353
- agent/software-canonical-lookup
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.0.1
- version/openssl openssl/1.0.1-beta1
- version/openssl openssl/1.0.1-beta2
- version/openssl openssl/1.0.1-beta3
- version/openssl openssl/1.0.1a
- version/openssl openssl/1.0.1b
- version/openssl openssl/1.0.1c
- version/openssl openssl/1.0.1d
- version/openssl openssl/1.0.1e
- package-manager/redhat