openssl: race condition in the ssl3_read_bytes function in s3_pkt.c (CVE-2010-5298)
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
•MLIST:[oss-security] 20140412 Use-after-free race condition,in
OpenSSL’s read buffer
•URL: http://openwall.com/lists/oss-security/2014/04/13/1
•MISC:
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
•MISC:
https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest
•MISC:
https://rt.openssl.org/Ticket/Display.html?id=3265&user=guest&pass=guest
•CONFIRM:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004\_openssl.patch.sig
•CONFIRM:
http://svnweb.freebsd.org/ports/head/security/openssl/files/patch-ssl-s3\_pkt.c?revision=351191&view=markup
•OPENBSD:[5.5] 004: SECURITY FIX: April 12, 2014
•URL: http://www.openbsd.org/errata55.html\#004\_openssl
•BID:66801
•URL: http://www.securityfocus.com/bid/66801
(from redmine: issue id 2895, created on 2014-05-20, closed on 2014-05-21)
- Relations:
- child #2896 (closed)
- child #2897 (closed)
- child #2898 (closed)