CVE-2010-5298

Published: 14 April 2014

Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

Priority

Low

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.1)
Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d1f4b
Vendor: http://svnweb.freebsd.org/ports/head/security/openssl/files/patch-ssl-s3_pkt.c?revision=351191&view=markup
Vendor: http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig
openssl098
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])