Bug 911399 - (CVE-2014-3569) VUL-0: CVE-2014-3569: openssl: remote denial of service when built with no-ssl3
(CVE-2014-3569)
VUL-0: CVE-2014-3569: openssl: remote denial of service when built with no-ssl3
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Vítězslav Čížek
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-30 20:19 UTC by Marcus Meissner
Modified: 2015-02-19 08:03 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-12-30 20:19:15 UTC
via nvd

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.


https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6ce9687b5aba5391fc0de50e18779eb676d0e04d

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3569.html

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b82924741b4bd590da890619be671f4635e46c2b

https://security-tracker.debian.org/tracker/CVE-2014-3569

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=392fa7a952e97d82eac6958c81ed1e256e6b8ca5

http://rt.openssl.org/Ticket/Display.html?id=3571&user=guest&pass=guest
Comment 1 Marcus Meissner 2014-12-30 20:23:16 UTC
we still built with ssl3 even in factory.

-> not affected by this problem.
Comment 2 Marcus Meissner 2014-12-30 20:24:21 UTC
CVE-2014-3569,20141230,NOTE:We so far are building openssl with ssl3 enabled, so this problem does not affect our packages.
Comment 3 Marcus Meissner 2015-01-08 16:09:38 UTC
openssl.org/news/secadv_20150108.txt 


no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================

Severity: Low

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
Comment 4 Bernhard Wiedemann 2015-01-09 12:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (911399) was mentioned in
https://build.opensuse.org/request/show/280570 Factory / openssl
Comment 5 Swamp Workflow Management 2015-01-23 19:05:21 UTC
openSUSE-SU-2015:0130-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 911399,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.16.2
openSUSE 13.1 (src):    openssl-1.0.1k-11.64.2