From the upstream advisory [1]: OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. (CVE-2011-3210) This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft" ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d. Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which contains a patch to correct this issue. If you cannot immediately upgrade, we recommend that you disable ephemeral ECDH ciphersuites if you have enabled them. Thanks to Adam Langley <agl> for identifying and fixing this issue. Only server-side applications that specifically support ephemeral ECDH ciphersuites are affected by the ephemeral ECDH crash bug and only if ephemeral ECDH ciphersuites are enabled in the configuration. You can check to see if application supports ephemeral ECDH ciphersuites by looking for SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH, SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback, SSL_CTRL_SET_TMP_ECDH_CB in the source code. [1] http://www.openssl.org/news/secadv_20110906.txt Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6, as they do not include the support for the elliptic curve cryptography.
Upstream commit: http://cvs.openssl.org/chngview?cn=21337