CVE-2016-6307

Published: 26 September 2016

The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c.

Priority

CVSS 3 base score: 5.9

Status

Package	Release	Status
openssl Launchpad, Ubuntu, Debian	Upstream	Needs triage




	Ubuntu 16.04 LTS (Xenial Xerus)	Not vulnerable
	Ubuntu 14.04 ESM (Trusty Tahr)	Not vulnerable
openssl098 Launchpad, Ubuntu, Debian	Upstream	Needs triage




	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was not-affected)

Notes

Author	Note
mdeslaur	only affects 1.1.0

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6307
https://www.openssl.org/news/secadv/20160922.txt
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM