[v2.4] openssl<1.0.1c: Invalid TLS/DTLS record attack (CVE-2012-2333)
OpenSSL Security Advisory [10 May 2012]
Invalid TLS/DTLS record attack (CVE-2012-2333)
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2
and
DTLS can be exploited in a denial of service attack on both clients
and
servers.
DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing
as a service testing platform.
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x
References
URL for this Security Advisory:
http://www.openssl.org/news/secadv\_20120510.txt
(from redmine: issue id 1151, created on 2012-05-14, closed on 2012-05-17)
- Changesets:
- Revision 1831053b by Natanael Copa on 2012-05-14T12:41:13Z:
main/openssl: security upgrade to 1.0.1c (CVE-2012-2333)
fixes #1151
- Revision d578a772 by Natanael Copa on 2012-05-14T12:45:02Z:
main/openssl: security upgrade to 1.0.1c (CVE-2012-2333)
fixes #1151
(cherry picked from commit 1831053bb87f432f0d45ccd9f7a368fc885a1d64)