Lucene search

K
ubuntucveUbuntu.comUB:CVE-2011-3210
HistorySep 22, 2011 - 12:00 a.m.

CVE-2011-3210

2011-09-2200:00:00
ubuntu.com
ubuntu.com
13

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.305 Low

EPSS

Percentile

97.0%

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during
processing of handshake messages from clients, which allows remote
attackers to cause a denial of service (daemon crash) via out-of-order
messages that violate the TLS protocol.

Notes

Author Note
jdstrand from upstream: applications are only affected by the CRL checking vulnerability if they enable OpenSSL’s internal CRL checking which is off by default. For example by setting the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL The following packages in main use this X509_V_FLAG_CRL_CHECK* curl, dovecot, exim4, freeradius, ipsec-tools, krb5, libio-socket-ssl-perl, libnet-ssleay-perl, likewise-open, mysql-5.1, nmap, openldap, openvpn, postgresql-9.1, ruby1.8, squid, telepathy-gabble, telepathy-salut, wpasupplicant the above need to also support ECDH to be affected
OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchopenssl< 0.9.8g-4ubuntu3.15UNKNOWN
ubuntu10.04noarchopenssl< 0.9.8k-7ubuntu8.8UNKNOWN
ubuntu10.10noarchopenssl< 0.9.8o-1ubuntu4.6UNKNOWN
ubuntu11.04noarchopenssl< 0.9.8o-5ubuntu1.2UNKNOWN

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.305 Low

EPSS

Percentile

97.0%