A flaw was found in the way OpenSSL (client side code) parsed TLS SRP extension packets. The ServerHello indicated that it intended to use SRP ciphersuite, but SRP parameters were omitted. When a client connectected to such a server, which offered SRP ciphersuites, this could cause the client to crash.
Red Hat would like to thank the CERT Coordination Center (CERT/CC) for reporting this issue.
The version of openssl as shipped with Red Hat Enterprise Linux 5, 6, and 7 does not support the Secure Remote Password (SRP) protocol as an authentication method for the Transport Layer Security protocol and therefore is not affected.
This issue does not affect the version of openssl as shipped with Fedora 19 and Fedora 20.
Public now via upstream commit:
It seems this issue got another duplicate CVE id CVE-2014-5139 (bug 1127491) assigned to this issue by OpenSSL upstream.
Note that SRP support was introduced upstream in version 1.0.1.
CVE-2014-2970 was also incorrectly used to refer to the LibreSSL PRNG re-seeding issue described in:
Because of the incorrect use, the id has already been rejected as duplicate:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139.
Reason: This candidate is a duplicate of CVE-2014-5139, and has also been
used to refer to an unrelated topic that is currently outside the scope of
CVE. This unrelated topic is a LibreSSL code change adding functionality
for certain process-bifurcation use cases that might arise in future
LibreSSL-based applications. There is no CVE ID associated with this
LibreSSL code change. As of 20140730, CVE-2014-5139 is an undisclosed
vulnerability in a different product, with ongoing vulnerability
coordination that had previously used the CVE-2014-2970 ID.
*** This bug has been marked as a duplicate of bug 1127491 ***