CVE-2011-3210

Publication date 22 September 2011

Last updated 24 July 2024


Ubuntu priority

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.

Read the notes from the security team

Status

Package Ubuntu Release Status
openssl 11.10 oneiric
Not affected
11.04 natty
Fixed 0.9.8o-5ubuntu1.2
10.10 maverick
Fixed 0.9.8o-1ubuntu4.6
10.04 LTS lucid
Fixed 0.9.8k-7ubuntu8.8
8.04 LTS hardy
Fixed 0.9.8g-4ubuntu3.15

Notes


jdstrand

from upstream: applications are only affected by the CRL checking vulnerability if they enable OpenSSL's internal CRL checking which is off by default. For example by setting the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL The following packages in main use this X509_V_FLAG_CRL_CHECK* curl, dovecot, exim4, freeradius, ipsec-tools, krb5, libio-socket-ssl-perl, libnet-ssleay-perl, likewise-open, mysql-5.1, nmap, openldap, openvpn, postgresql-9.1, ruby1.8, squid, telepathy-gabble, telepathy-salut, wpasupplicant the above need to also support ECDH to be affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
openssl

References

Related Ubuntu Security Notices (USN)

    • USN-1357-1
    • OpenSSL vulnerabilities
    • 9 February 2012

Other references