[v2.2] openssl<1.0.0j: Invalid TLS/DTLS record attack (CVE-2012-2333)
OpenSSL Security Advisory [10 May 2012]
Invalid TLS/DTLS record attack (CVE-2012-2333)
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2
and
DTLS can be exploited in a denial of service attack on both clients
and
servers.
DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing
as a service testing platform.
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x
References
URL for this Security Advisory:
http://www.openssl.org/news/secadv\_20120510.txt
(from redmine: issue id 1153, created on 2012-05-14, closed on 2012-05-17)
- Changesets:
- Revision 049f48d3 by Natanael Copa on 2012-05-14T12:50:16Z:
main/openssl: security upgrade to 1.0.0j (CVE-2012-2333)
fixes #1153