Bug 1152967 (CVE-2014-3568) - CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
Summary: CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
Alias: CVE-2014-3568
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1153471 1153473
Blocks: 1152790
TreeView+ depends on / blocked
Reported: 2014-10-15 09:46 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 06:05 UTC (History)
25 users (show)

Fixed In Version: openssl 0.9.8zc, openssl 1.0.0o, openssl 1.0.1j
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-15 09:47:45 UTC

Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2014-10-15 09:46:18 UTC
OpenSSL upstream reported the following security flaw:

When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.

The fix was developed by Akamai and the OpenSSL team.

External Reference:


Comment 1 Huzaifa S. Sidhpurwala 2014-10-15 09:47:45 UTC

Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not build with the "no-ssl3" option and therefore are not vulnerable to this security flaw.

Comment 3 Tomas Hoger 2014-10-15 19:45:42 UTC
Fixed upstream in OpenSSL versions 0.9.8zc, 1.0.0o and 1.0.1j:


Note You need to log in before you can comment on or make changes to this bug.