Home page logo
/

oss-sec logo oss-sec mailing list archives

OpenSSL invalid TLS/DTLS record attack (CVE-2012-2333)
From: Solar Designer <solar () openwall com>
Date: Fri, 11 May 2012 07:15:15 +0400

I think these should be in here given the importance of OpenSSL, as well
as to encourage relevant follow-ups.

----- Forwarded message -----

Subject: OpenSSL Security Advisory
Date: Thu, 10 May 2012 23:47:57 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenSSL Security Advisory [10 May 2012]
=======================================

Invalid TLS/DTLS record attack (CVE-2012-2333)
===============================================

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.

DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x

References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120510.txt


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBT6w226LSm3vylcdZAQKTzgf/cksRhBmKkc5BWGXHxRuNEpr7SplMvM1k
5HcyLrlUKE4E2tredaylgYhbpy9+50e8euv8cWdD5ErBklJ9SGso2YKl/FVOSO0e
T5MyGgOeQ4jAeyLlBahw6O74bUYrO3WntVyLJDrH6gRGN1dDjenMPErPUKUQGUMw
8Yy0JXbxIVhw731ymL6Iv2DuleFZvGCdSgPXbX39qXrAe5mD5wd5jGP50f7S0mEO
mj6/3zPxAHLrn5H9XXwqgebEylQkCHWdMIxSqYihea865/BShT5lXJdLief7YDlh
YEJVquVjGlRgTJZeq6YZab5c1Lg+Jlc9cxtniQv1QaAgfryEJ5biPQ==
=/mgW
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Announcement Mailing List                 openssl-announce () openssl org
Automated List Manager                           majordomo () openssl org

----- End forwarded message -----


  By Date           By Thread  

Current thread:
  • OpenSSL invalid TLS/DTLS record attack (CVE-2012-2333) Solar Designer (May 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]