OpenSSL prior to 0.9.8q, and 1.0.x prior to 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote malicious users to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openssl openssl |
||
fedoraproject fedora 13 |
||
fedoraproject fedora 14 |
||
debian debian linux 5.0 |
||
canonical ubuntu linux 10.10 |
||
canonical ubuntu linux 9.04 |
||
canonical ubuntu linux 8.04 |
||
canonical ubuntu linux 10.04 |
||
canonical ubuntu linux 6.06 |
||
suse linux enterprise desktop 11 |
||
opensuse opensuse 11.1 |
||
suse linux enterprise server 9 |
||
opensuse opensuse 11.4 |
||
opensuse opensuse 11.2 |
||
opensuse opensuse 11.3 |
||
suse linux enterprise desktop 10 |
||
suse linux enterprise server 10 |
||
suse linux enterprise 11.0 |
||
f5 nginx |