First published: Mon Jun 02 2014(Updated: )
As per the upstream advisory: By sending an invalid DTLS handshake to an OpenSSL DTLS client, the code can be made to recurse, eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. . Acknowledgements: Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Imre Rad of Search-Lab as the original reporter of this issue.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openssl | <1.0.1 | 1.0.1 |
redhat/openssl | <0.9.8 | 0.9.8 |
OpenSSL OpenSSL | >=0.9.8<0.9.8za | |
OpenSSL OpenSSL | >=1.0.0<1.0.0m | |
OpenSSL OpenSSL | >=1.0.1<1.0.1h | |
Redhat Storage | =2.1 | |
Fedoraproject Fedora | ||
Redhat Enterprise Linux | =5 | |
Redhat Enterprise Linux | =6.0 | |
Mariadb Mariadb | >=10.0.0<10.0.13 | |
Fedoraproject Fedora | =19 | |
Fedoraproject Fedora | =20 | |
openSUSE Leap | =42.1 | |
openSUSE openSUSE | =13.2 | |
SUSE Linux Enterprise Desktop | =12 | |
SUSE Linux Enterprise Server | =12 | |
SUSE Linux Enterprise Software Development Kit | =12 | |
Suse Linux Enterprise Workstation Extension | =12 |
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d3152655d5319ce883c8e3ac4b99f8de4c59d846
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.