CVE-2008-7270

Publication date 6 December 2010

Last updated 24 July 2024


Ubuntu priority

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

Read the notes from the security team

Status

Package Ubuntu Release Status
openssl 10.10 maverick
Not affected
10.04 LTS lucid
Not affected
9.10 karmic
Fixed 0.9.8g-16ubuntu3.5
8.04 LTS hardy
Fixed 0.9.8g-4ubuntu3.13
6.06 LTS dapper
Fixed 0.9.8a-7ubuntu0.14

Notes


jdstrand

per sbeattie, "the same fix for CVE-2010-4180 that's backported will fix it, as the whole SL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG block gets ifdef'd out"

References

Related Ubuntu Security Notices (USN)

    • USN-1029-1
    • OpenSSL vulnerabilities
    • 8 December 2010

Other references