First published: Fri Jan 09 2015(Updated: )
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
OpenSSL OpenSSL | <=0.9.8zc | |
OpenSSL OpenSSL | =1.0.0a | |
OpenSSL OpenSSL | =1.0.0b | |
OpenSSL OpenSSL | =1.0.0c | |
OpenSSL OpenSSL | =1.0.0d | |
OpenSSL OpenSSL | =1.0.0e | |
OpenSSL OpenSSL | =1.0.0f | |
OpenSSL OpenSSL | =1.0.0g | |
OpenSSL OpenSSL | =1.0.0h | |
OpenSSL OpenSSL | =1.0.0i | |
OpenSSL OpenSSL | =1.0.0j | |
OpenSSL OpenSSL | =1.0.0k | |
OpenSSL OpenSSL | =1.0.0l | |
OpenSSL OpenSSL | =1.0.0m | |
OpenSSL OpenSSL | =1.0.0n | |
OpenSSL OpenSSL | =1.0.0o | |
OpenSSL OpenSSL | =1.0.1a | |
OpenSSL OpenSSL | =1.0.1b | |
OpenSSL OpenSSL | =1.0.1c | |
OpenSSL OpenSSL | =1.0.1d | |
OpenSSL OpenSSL | =1.0.1e | |
OpenSSL OpenSSL | =1.0.1f | |
OpenSSL OpenSSL | =1.0.1g | |
OpenSSL OpenSSL | =1.0.1h | |
OpenSSL OpenSSL | =1.0.1i | |
OpenSSL OpenSSL | =1.0.1j |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.