CVE-2010-4180 Information
Share on:Description
OpenSSL before 0.9.8q and 1.0.x before 1.0.0c when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled does not properly prevent modification of the ciphersuite in the session cache which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Reference
http://cvs.openssl.org/chngview?cn=20131 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777 http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html http://marc.info/?l=bugtraq&m=129916880600544&w=2 http://marc.info/?l=bugtraq&m=130497251507577&w=2 http://marc.info/?l=bugtraq&m=132077688910227&w=2 http://openssl.org/news/secadv_20101202.txt http://osvdb.org/69565 http://secunia.com/advisories/42469 http://secunia.com/advisories/42473 http://secunia.com/advisories/42493 http://secunia.com/advisories/42571 http://secunia.com/advisories/42620 http://secunia.com/advisories/42811 http://secunia.com/advisories/42877 http://secunia.com/advisories/43169 http://secunia.com/advisories/43170 http://secunia.com/advisories/43171 http://secunia.com/advisories/43172 http://secunia.com/advisories/43173 http://secunia.com/advisories/44269 http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471 http://support.apple.com/kb/HT4723 http://ubuntu.com/usn/usn-1029-1 http://www.debian.org/security/2011/dsa-2141 http://www.kb.cert.org/vuls/id/737740 http://www.mandriva.com/security/advisories?name=MDVSA-2010:248 http://www.redhat.com/support/errata/RHSA-2010-0977.html http://www.redhat.com/support/errata/RHSA-2010-0978.html http://www.redhat.com/support/errata/RHSA-2010-0979.html http://www.redhat.com/support/errata/RHSA-2011-0896.html http://www.securityfocus.com/archive/1/522176 http://www.securityfocus.com/bid/45164 http://www.securitytracker.com/id?1024822 http://www.vupen.com/english/advisories/2010/3120 http://www.vupen.com/english/advisories/2010/3122 http://www.vupen.com/english/advisories/2010/3134 http://www.vupen.com/english/advisories/2010/3188 http://www.vupen.com/english/advisories/2011/0032 http://www.vupen.com/english/advisories/2011/0076 http://www.vupen.com/english/advisories/2011/0268 https://bugzilla.redhat.com/show_bug.cgi?id=659462 https://kb.bluecoat.com/index?page=content&id=SA53&actp=LIST https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A18910