Bug 503685 (CVE-2009-1386)

Summary: CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec request
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 15:26:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 482112, 501667, 530522    
Bug Blocks:    

Description Tomas Hoger 2009-06-02 08:07:08 UTC 
A NULL pointer dereference flaw was found in OpenSSL affecting DTLS servers.  If client sent a "change cipher spec" request before server had its session structures initialized properly, it caused server to dereference NULL pointer and crash.

Issue was fixed upstream via following commit:
  http://marc.info/?l=openssl-cvs&m=121866006013233&w=2

This fix was first included in upstream version 0.9.8i.
Comment 2 Tomas Hoger 2009-06-02 08:48:20 UTC 
Upstream bug report:
  http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest

Direct link to upstream CVS commit:
  http://cvs.openssl.org/chngview?cn=17369
Comment 4 Tomas Hoger 2009-06-02 09:26:16 UTC 
This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4.

This issue affects openssl version as shipped in Red Hat Enterprise Linux 5 and it will be addressed in the openssl packages update in Red Hat Enterprise Linux 5.4.  There is no update planned before than, as both DTLS specification and OpenSSL's implementation is still in development and unlikely to be used in production environments.  There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSL's DTLS implementation, except for OpenSSL's testing command line client - openssl.
Comment 5 errata-xmlrpc 2009-09-02 11:00:22 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1335 https://rhn.redhat.com/errata/RHSA-2009-1335.html
Comment 6 errata-xmlrpc 2009-09-02 12:12:02 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1335 https://rhn.redhat.com/errata/RHSA-2009-1335.html
Comment 7 Vincent Danen 2009-09-18 17:46:01 UTC 
This issue doesn't affect Fedora 11, but it does affect Fedora 10 (0.9.8g).  Is it planned to be corrected in Fedora 10?