CVE-2015-3197

NameCVE-2015-3197
Descriptionssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-421-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)stretch1.1.0l-1~deb9u1fixed
stretch (security)1.1.0l-1~deb9u4fixed
buster, buster (security)1.1.1d-0+deb10u7fixed
bullseye (security), bullseye1.1.1k-1+deb11u1fixed
bookworm, sid1.1.1l-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsourcesqueeze0.9.8o-4squeeze23DLA-421-1
opensslsource(unstable)1.0.0c-2

Notes

1.0.0c-2 dropped SSLv2 support
No MITM: https://bugzilla.redhat.com/show_bug.cgi?id=1301846#c3

Search for package or bug name: Reporting problems