CVE-2013-6450 Information

Description

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery related to ssl/d1_both.c and ssl/t1_enc.c.

Reference

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=34628967f1e65dc8f34e000f0f5518e21afbfc7b http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00031.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00032.html http://rhn.redhat.com/errata/RHSA-2014-0015.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201412-39.xml http://www.debian.org/security/2014/dsa-2833 http://www.openssl.org/news/vulnerabilities.html http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.securityfocus.com/archive/1/534161/100/0/threaded http://www.securityfocus.com/bid/64618 http://www.securitytracker.com/id/1029549 http://www.securitytracker.com/id/1031594 http://www.ubuntu.com/usn/USN-2079-1 http://www.vmware.com/security/advisories/VMSA-2014-0012.html http://www-01.ibm.com/support/docview.wss?uid=isg400001841 http://www-01.ibm.com/support/docview.wss?uid=isg400001843 https://puppet.com/security/cve/cve-2013-6450 https://security-tracker.debian.org/tracker/CVE-2013-6450