Your submission was sent successfully! Close

CVE-2014-3511

Published: 07 August 2014

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

Priority

Medium

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream
Released (1.0.1i)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.5)
Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fc4f4cdb8bf9981904e652abf69b892a45bddacf (1.0.1)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fc4bd2f287582c5f51f9549727fd5a49e9fc3012 (0.9.8)
openssl098
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)