CVE-2012-2333

NameCVE-2012-2333
DescriptionInteger underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2475-1
NVD severitymedium (attack range: remote)
Debian Bugs672452
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)squeeze (security), squeeze0.9.8o-4squeeze14fixed
squeeze (lts)0.9.8o-4squeeze19fixed
wheezy1.0.1e-2+deb7u13fixed
wheezy (security)1.0.1e-2+deb7u14fixed
jessie, sid1.0.1k-1fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.0.1c-1medium672452
opensslsourcesqueeze0.9.8o-4squeeze13mediumDSA-2475-1

Notes

http://seclists.org/oss-sec/2012/q2/299
http://www.openssl.org/news/secadv_20120510.txt

Search for package or bug name: Reporting problems