CVE-2016-8610
Published: 24 October 2016
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gnutls28 Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| artful |
Not vulnerable
(3.5.6-4ubuntu2)
|
|
| bionic |
Not vulnerable
(3.5.6-4ubuntu2)
|
|
| cosmic |
Not vulnerable
(3.5.6-4ubuntu2)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.4.10-4ubuntu1.2)
|
|
| yakkety |
Released
(3.5.3-5ubuntu1.1)
|
|
| zesty |
Not vulnerable
(3.5.6-4ubuntu2)
|
|
| disco |
Not vulnerable
(3.5.6-4ubuntu2)
|
|
|
Patches: upstream: https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e upstream: https://gitlab.com/gnutls/gnutls/commit/42a8bb3bdad73f13425ae18a41addbbc04496101 (bp) upstream: https://gitlab.com/gnutls/gnutls/commit/648bf9b00e1cbf45c6d05fab07e91fad97e6926d (3.3) |
||
|
openssl098 Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| artful |
Does not exist
|
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
gnutls26 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| precise |
Released
(2.12.14-5ubuntu3.13)
|
|
| trusty |
Released
(2.12.23-12ubuntu2.6)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
openssl Launchpad, Ubuntu, Debian |
artful |
Released
(1.0.2g-1ubuntu11)
|
| bionic |
Released
(1.0.2g-1ubuntu11)
|
|
| cosmic |
Released
(1.0.2g-1ubuntu11)
|
|
| disco |
Released
(1.0.2g-1ubuntu11)
|
|
| precise |
Released
(1.0.1-4ubuntu5.39)
|
|
| trusty |
Released
(1.0.1f-1ubuntu2.22)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.0.2g-1ubuntu4.6)
|
|
| yakkety |
Released
(1.0.2g-1ubuntu9.1)
|
|
| zesty |
Released
(1.0.2g-1ubuntu11)
|
|
|
Patches: upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401 (master) upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=22646a075e75991b4e8f5d67171e45a6aead5b48 (1.0.2) upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=f1185392189641014dca94f3fe7834bccb5f4c16 (related) |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610
- http://www.openwall.com/lists/oss-security/2016/10/24/3
- http://security.360.cn/cve/CVE-2016-8610/
- https://ubuntu.com/security/notices/USN-3181-1
- https://ubuntu.com/security/notices/USN-3183-1
- https://ubuntu.com/security/notices/USN-3183-2
- NVD
- Launchpad
- Debian