CVE-2012-2333

NameCVE-2012-2333
DescriptionInteger underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2475-1
Debian Bugs672452

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)buster1.1.1n-0+deb10u3fixed
buster (security)1.1.1n-0+deb10u4fixed
bullseye1.1.1n-0+deb11u4fixed
bullseye (security)1.1.1n-0+deb11u5fixed
bookworm, sid3.0.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsourcesqueeze0.9.8o-4squeeze13DSA-2475-1
opensslsource(unstable)1.0.1c-1672452

Notes

http://seclists.org/oss-sec/2012/q2/299
http://www.openssl.org/news/secadv/20120510.txt
Search for package or bug name: Reporting problems