Bugzilla – Bug 911399
VUL-0: CVE-2014-3569: openssl: remote denial of service when built with no-ssl3
Last modified: 2015-02-19 08:03:57 UTC
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
we still built with ssl3 even in factory.
-> not affected by this problem.
CVE-2014-3569,20141230,NOTE:We so far are building openssl with ssl3 enabled, so this problem does not affect our packages.
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
This is an autogenerated message for OBS integration:
This bug (911399) was mentioned in
https://build.opensuse.org/request/show/280570 Factory / openssl
openSUSE-SU-2015:0130-1: An update that fixes 8 vulnerabilities is now available.
Category: security (important)
Bug References: 911399,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
openSUSE 13.2 (src): openssl-1.0.1k-2.16.2
openSUSE 13.1 (src): openssl-1.0.1k-11.64.2