Hide Forgot
A flaw was found in the way OpenSSL handled TLS handshakes. A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. This flaw only affects OpenSSL versions 1.0.1 through 1.0.1e; earlier versions are not affected and this is corrected in upstream version 1.0.1f [1],[2]. [1] http://www.openssl.org/news/vulnerabilities.html#2013-4353 [2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1049061]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1049062]
This is a client side issue - an application using OpenSSL library to implement TLS/SSL client functionality can be crashed by malicious TLS/SSL server (or MITM attacker tampering with handshake packets) using this flaw. Affected code was introduced when Next Protocol Negotiation support was added in version 1.0.1. Relevant upstream commit: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee2ffc2 Therefore, only versions 1.0.1 are affected by this issue. The openssl packages in Red Hat Enterprise Linux 5 and earlier are not affected (they are based on older 0.9.* versions). The openssl packages in Red Hat Enterprise Linux 6 before 6.5 were also not affected, as they were based on upstream version 1.0.0. They were updated to version 1.0.1e in Red Hat Enterprise Linux 6.5 via RHBA-2013:1585. https://rhn.redhat.com/errata/RHBA-2013-1585.html Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and earlier.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0015 https://rhn.redhat.com/errata/RHSA-2014-0015.html
openssl-1.0.1e-37.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1e-37.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1e-37.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2014:0041 https://rhn.redhat.com/errata/RHSA-2014-0041.html
This issue has been addressed in following products: RHEV Manager version 3.3 Via RHSA-2014:0416 https://rhn.redhat.com/errata/RHSA-2014-0416.html