CVE-2013-6450
Published: 1 January 2014
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Notes
| Author | Note |
|---|---|
| mdeslaur | only affects 1.0.0+ |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssl Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
|
| precise |
Released
(1.0.1-4ubuntu5.11)
|
|
| quantal |
Released
(1.0.1c-3ubuntu2.6)
|
|
| raring |
Released
(1.0.1c-4ubuntu8.2)
|
|
| saucy |
Released
(1.0.1e-3ubuntu1.1)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a6c62f0c25a756c263a80ce52afbae888028e986 (1.0.1) upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=34628967f1e65dc8f34e000f0f5518e21afbfc7b (1.0.1) upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f3dcc8411e518fb0835c7d72df4a58718205260d (regression? 1.0.1) |
||