Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1177249 - (CVE-2014-3569) CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function
CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20141021,repor...
: Security
Depends On:
Blocks: 1180194
  Show dependency treegraph
 
Reported: 2014-12-25 06:54 EST by Vasyl Kaigorodov
Modified: 2015-01-14 01:13 EST (History)
24 users (show)

See Also:
Fixed In Version: OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-25 06:55:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vasyl Kaigorodov 2014-12-25 06:54:04 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3569 to
the following vulnerability:

Name: CVE-2014-3569
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
Assigned: 20140514
Reference: https://security-tracker.debian.org/tracker/CVE-2014-3569

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j
does not properly handle attempts to use unsupported protocols, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via an unexpected handshake, as
demonstrated by an SSLv3 handshake to a no-ssl3 application with
certain error handling.  NOTE: this issue became relevant after the
CVE-2014-3568 fix.

Statement:

Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not vulnerable to CVE-2014-3568, therefore does not have CVE-2014-3568 fix applied, and therefore are not vulnerable to this security flaw.
Comment 1 Vincent Danen 2015-01-08 13:24:29 EST 
External References:

https://www.openssl.org/news/secadv_20150108.txt
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.