CVE-2014-3470

Publication date 5 June 2014

Last updated 24 July 2024

Ubuntu priority

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssl	14.04 LTS trusty	Fixed 1.0.1f-1ubuntu2.2
	13.10 saucy	Fixed 1.0.1e-3ubuntu1.4
	12.04 LTS precise	Fixed 1.0.1-4ubuntu5.14
	10.04 LTS lucid	Not affected
openssl098	14.04 LTS trusty	Not in release
	13.10 saucy	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2232-1
OpenSSL vulnerabilities
5 June 2014

Other references

https://www.openssl.org/news/secadv_20140605.txt
https://www.cve.org/CVERecord?id=CVE-2014-3470