CVE-2012-2333

NameCVE-2012-2333
DescriptionInteger underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2475-1
NVD severitymedium (attack range: remote)
Debian Bugs672452

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)wheezy1.0.1e-2+deb7u20fixed
wheezy (security)1.0.1t-1+deb7u1fixed
jessie1.0.1t-1+deb8u3fixed
jessie (security)1.0.1t-1+deb8u5fixed
stretch1.0.2h-1fixed
sid1.0.2j-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.0.1c-1medium672452
opensslsourcesqueeze0.9.8o-4squeeze13mediumDSA-2475-1

Notes

http://seclists.org/oss-sec/2012/q2/299
http://www.openssl.org/news/secadv/20120510.txt

Search for package or bug name: Reporting problems