Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2013-6449

Published: 23 December 2013

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Notes

AuthorNote
mdeslaur
only 1.0.1+

Priority

Medium

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
lucid Not vulnerable

precise
Released (1.0.1-4ubuntu5.11)
quantal
Released (1.0.1c-3ubuntu2.6)
raring
Released (1.0.1c-4ubuntu8.2)
saucy
Released (1.0.1e-3ubuntu1.1)
upstream Needs triage

Patches:
upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0294b2be5f4c11e60620c0018674ff0e17b14238 (1.0.1)
upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca989269a2876bae79393bd54c3e72d49975fc75 (1.0.1)