-------------------------------------------------------------
-CVE-2014-0224
-
-reported=20140509
-public=no
-source=Kikuchi Masashi, Katayama Kenichiro, and Maeda Kaoru of Lepidum Co. Ltd (via CERT-CC and JPCERT)
-
-description=A flaw in the handling of the ChangeCipherSpec message can
-lead to an empty master secret. If OpenSSL is being used both for the
-client and server this can enable a man in the middle attack against
-TLS/SSLv3.
-
-probably affects=0.9.8* 1.0.0* 1.0.1*
-
-(They provided a patch, unconfirmed)
-(they reported this also via CERT JP on 20140501 but required OPENSSL_NO_NEXTPROTONEG)
-(was fixed for DTLS in CVE-2009-1386, but without 0 master secret consequence listed)
-
-------------------------------------------------------------
-CVE-2014-0221
-
-reported=20140509
-public=no
-source=Imre Rad (via openssl-security@)
-
-description=An recursion flaw in dtls1_get_message_fragment could allow a
-malicious DTLS server to crash a connecting OpenSSL DTLS client.
-
-probably affects=0.9.8* 1.0.0* 1.0.1*
-
-(Stephen wrote a patch)
-
-------------------------------------------------------------
-CVE-2014-0195
-
-reported=20140423
-public=no
-source=Jüri Aedla (via HP ZDI)
-
-description=A flaw in the handling of DTLS fragments was found leading to
-an out of bounds write. A malicious client could connect to an OpenSSL
-DTLS server and cause it to crash or potentially execute arbitrary code.
-
-probably affects=0.9.8* 1.0.0* 1.0.1*
-
-(we've not verified RCE)
-
-------------------------------------------------------------
NO CVE
https://rt.openssl.org/Ticket/Display.html?id=3339
projects / archaic-openssl.git / blobdiff