CVE-2012-2333

NameCVE-2012-2333
DescriptionInteger underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2475-1
Debian Bugs672452

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)stretch1.1.0l-1~deb9u1fixed
stretch (security)1.1.0l-1~deb9u6fixed
buster1.1.1n-0+deb10u1fixed
buster (security)1.1.1n-0+deb10u3fixed
bullseye1.1.1n-0+deb11u1fixed
bullseye (security)1.1.1n-0+deb11u3fixed
bookworm3.0.3-8fixed
sid3.0.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsourcesqueeze0.9.8o-4squeeze13DSA-2475-1
opensslsource(unstable)1.0.1c-1672452

Notes

http://seclists.org/oss-sec/2012/q2/299
http://www.openssl.org/news/secadv/20120510.txt

Search for package or bug name: Reporting problems