Bug 1103600 (CVE-2014-3470)
| Summary: | CVE-2014-3470 openssl: client-side denial of service when using anonymous ECDH | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | aavati, abaron, acathrow, aneelica, aortega, apevec, ayoung, bazulay, cdewolf, cfergeau, chrisw, cpelland, dallan, darran.lofthouse, dblechte, fdeutsch, fnasser, gklein, gkotton, huwang, idith, iheim, jawilson, jkurik, jrusnack, lgao, lhh, markmc, myarboro, nlevinki, pgier, pmatouse, pslavice, rbryant, rfortier, rsvoboda, sclewis, security-response-team, ssaha, tmraz, vbellur, vtunka, weli, yeylon | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openssl 1.0.1h, openssl 1.0.0m, openssl 0.9.8za | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-11 05:31:53 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1096233, 1096234, 1103604, 1103605, 1103632, 1103633, 1103741, 1104349, 1104350, 1127888, 1127889 | ||||||
| Bug Blocks: | 1103601 | ||||||
| Attachments: |
|
||||||
|
Description
Huzaifa S. Sidhpurwala
2014-06-02 07:48:42 UTC
Created attachment 901376 [details]
Upstream patch
Fixed upstream in OpenSSL 1.0.1h, 1.0.0m and 0.9.8za. External References: https://www.openssl.org/news/secadv_20140605.txt Upstream commits: OpenSSL-1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8011cd56e39a433b1837465259a9bd24a38727fb OpenSSL-0.9.8: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=141a5482fdd1944804cc342c1c443362eed8501b This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1096233] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1096234] This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html Statement: This issue does not affect the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. This issue does not affect the openssl098e as shipped with Red Hat Enterprise Linux 6. openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html Created mingw32-openssl tracking bugs for this issue: Affects: epel-5 [bug 1127888] |