Description

Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.

References

• BID-69081
• CVE-2014-3505
• DEBIAN-DSA-2998
• NETBSD-NetBSD-SA2014-008
• REDHAT-RHSA-2014:1256
• REDHAT-RHSA-2014:1297

Solution

Related Vulnerabilities

• OpenSSL Double Free when processing DTLS packets (CVE-2014-3505)
• ELSA-2014-1653 Moderate: Oracle Linux openssl security update
• RHSA-2014:1053: openssl security update
• ELSA-2014-1052 Moderate: Oracle Linux openssl security update
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-14:18.openssl) (Multiple CVEs)
• F5 Networks: K15573 (CVE-2014-3505): OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507
• DSA-2998-1 openssl -- security update
• SUSE: CVE-2014-3505: SUSE Linux Security Advisory
• USN-2308-1: OpenSSL vulnerabilities
• Cisco NX-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (Multiple CVEs)
• ELSA-2014-1652 Important: Oracle Linux openssl security update
• ELSA-2014-1053 Moderate: Oracle Linux openssl security update
• IBM AIX: openssl_advisory10 (CVE-2014-3505): Vulnerabilities in OpenSSL affects AIX
• Oracle Solaris 11: CVE-2014-3505: Vulnerability in OpenSSL
• Gentoo Linux: CVE-2014-3505: OpenSSL: Multiple vulnerabilities
• Amazon Linux AMI: Security patch for openssl (ALAS-2014-391) (multiple CVEs)
• RHSA-2014:1052: openssl security update