Your submission was sent successfully! Close

CVE-2015-0204

Published: 08 January 2015

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

Priority

Low

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.8zd, 1.0.1k)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.0.1f-1ubuntu10)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.0.1f-1ubuntu10)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.8)
Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=37580f43b5a39f5f4e920d17273fab9713d3a744 (1.0.1)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=72f181539118828ca966a0f8d03f6428e2bcf0d6 (0.9.8)
openssl098
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.8zd, 1.0.1k)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)