CVE-2013-6449

Publication date 23 December 2013

Last updated 24 July 2024

Ubuntu priority

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssl	13.10 saucy	Fixed 1.0.1e-3ubuntu1.1
	13.04 raring	Fixed 1.0.1c-4ubuntu8.2
	12.10 quantal	Fixed 1.0.1c-3ubuntu2.6
	12.04 LTS precise	Fixed 1.0.1-4ubuntu5.11
	10.04 LTS lucid	Not affected

Notes

mdeslaur

only 1.0.1+

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
openssl	Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0294b2be5f4c11e60620c0018674ff0e17b14238 Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca989269a2876bae79393bd54c3e72d49975fc75

CVE-2013-6449

Status

Notes

mdeslaur

Patch details

References

Related Ubuntu Security Notices (USN)

Other references