CVE 2014-0224
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Related bugs and status
CVE-2014-0224 (Candidate) is related to these bugs:
Bug #1329297: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1329297 | openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST | openssl (Ubuntu) | Undecided | Fix Released | ||
1329297 | openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST | openssl (Ubuntu Utopic) | Undecided | Fix Released | ||
1329297 | openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST | openssl (Ubuntu Precise) | Undecided | Fix Released | ||
1329297 | openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST | openssl (Ubuntu Trusty) | Undecided | Fix Released | ||
1329297 | openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST | openssl (Ubuntu Lucid) | Undecided | Invalid | ||
1329297 | openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST | openssl (Ubuntu Saucy) | Undecided | Fix Released |
Bug #1331452: Please backport current CVEs for Precise LTS openssl098
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1331452 | Please backport current CVEs for Precise LTS openssl098 | openssl098 (Ubuntu) | High | Fix Released | ||
1331452 | Please backport current CVEs for Precise LTS openssl098 | openssl098 (Ubuntu Precise) | High | Fix Released | ||
1331452 | Please backport current CVEs for Precise LTS openssl098 | openssl098 (Ubuntu Trusty) | Undecided | Fix Released | ||
1331452 | Please backport current CVEs for Precise LTS openssl098 | openssl098 (Ubuntu Saucy) | Undecided | Fix Released | ||
1331452 | Please backport current CVEs for Precise LTS openssl098 | openssl098 (Ubuntu Utopic) | High | Fix Released |
Bug #1332643: pg_dump: Error message from server: SSL error: ccs received early
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Ubuntu) | Undecided | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Ubuntu Lucid) | Undecided | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Ubuntu Trusty) | Undecided | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Ubuntu Saucy) | Undecided | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Ubuntu Utopic) | Undecided | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Ubuntu Precise) | Undecided | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | openssl (Debian) | Unknown | Fix Released | ||
1332643 | pg_dump: Error message from server: SSL error: ccs received early | OpenSSL | Unknown | Fix Released |
Bug #1425171: Upgrade OpenSSL packages
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1425171 | Upgrade OpenSSL packages | Mirantis OpenStack | Undecided | Opinion | ||
1425171 | Upgrade OpenSSL packages | Mirantis OpenStack 5.1.x | Undecided | Opinion | ||
1425171 | Upgrade OpenSSL packages | Mirantis OpenStack 6.0.x | Undecided | Opinion |
Bug #1469653: CVE-2014-0224 not fixed for python-openssl based servers
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1469653 | CVE-2014-0224 not fixed for python-openssl based servers | pyopenssl (Ubuntu) | Undecided | Expired |
Bug #1811531: remote execution vulnerability
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1811531 | remote execution vulnerability | zeromq3 (Ubuntu) | Undecided | Fix Released | ||
1811531 | remote execution vulnerability | zeromq3 (Debian) | Unknown | Fix Released | ||
1811531 | remote execution vulnerability | zeromq (Suse) | High | Fix Released |
See the
CVE page on Mitre.org
for more details.