Описание
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 1.0.1f-1ubuntu4 |
| esm-infra-legacy/trusty | not-affected | 1.0.1f-1ubuntu2.2 |
| lucid | released | 0.9.8k-7ubuntu8.18 |
| precise | released | 1.0.1-4ubuntu5.14 |
| saucy | released | 1.0.1e-3ubuntu1.4 |
| trusty | released | 1.0.1f-1ubuntu2.2 |
| trusty/esm | not-affected | 1.0.1f-1ubuntu2.2 |
| upstream | released | 0.9.8za,1.0.1h |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 0.9.8o-7ubuntu4 |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was released [0.9.8o-7ubuntu3.2.14.04.1]] |
| lucid | DNE | |
| precise | released | 0.9.8o-7ubuntu3.2 |
| saucy | released | 0.9.8o-7ubuntu3.2.13.10.1 |
| trusty | released | 0.9.8o-7ubuntu3.2.14.04.1 |
| trusty/esm | DNE | trusty was released [0.9.8o-7ubuntu3.2.14.04.1] |
| upstream | released | 0.9.8za |
Показывать по
EPSS
5.8 Medium
CVSS2
7.4 High
CVSS3
Связанные уязвимости
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h d ...
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
EPSS
5.8 Medium
CVSS2
7.4 High
CVSS3