[v2.1] openssl<1.0.0j: Invalid TLS/DTLS record attack (CVE-2012-2333)
OpenSSL Security Advisory [10 May 2012]
Invalid TLS/DTLS record attack (CVE-2012-2333)
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2
DTLS can be exploited in a denial of service attack on both clients and
DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
as a service testing platform.
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x
URL for this Security Advisory:
(from redmine: issue id 1155, created on 2012-05-14, closed on 2012-05-17)
- Revision 48d01c7c by Natanael Copa on 2012-05-14T12:55:45Z:
main/openssl: security upgrade to 1.0.0j (CVE-2012-2333) fixes #1155