The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 prior to 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openssl openssl 1.0.2 |
||
openssl openssl 1.0.2a |
||
openssl openssl 1.0.2b |
||
openssl openssl 1.0.2c |
||
openssl openssl 1.0.2d |
Version control, we've heard of it
The OpenSSL Project released its promised updates last week and, almost immediately, had to try again because of errors in the release. The bugs fixed in the release include three moderate-level issues and one low-severity bug. They include denial-of-service vulnerability by crashing OpenSSL clients during certificate verification. The fixes apply to OpenSSL 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2e branches. The 1.0.0 and 0.9.8 branches have been on OpenSSL's end-of-life list since December 2014, and ...