1
PublicDateAtUSN: 2014-08-07
2
Candidate: CVE-2014-3511
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511
6
https://www.openssl.org/news/secadv_20140806.txt
7
https://usn.ubuntu.com/usn/usn-2308-1
9
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before
10
1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by
11
triggering ClientHello message fragmentation in communication between a
12
client and server that both support later TLS versions, related to a
13
"protocol downgrade" issue.
18
Discovered-by: David Benjamin and Adam Langley
22
upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fc4f4cdb8bf9981904e652abf69b892a45bddacf (1.0.1)
23
upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fc4bd2f287582c5f51f9549727fd5a49e9fc3012 (0.9.8)
24
upstream_openssl: released (1.0.1i)
25
lucid_openssl: not-affected
26
precise_openssl: released (1.0.1-4ubuntu5.17)
27
trusty_openssl: released (1.0.1f-1ubuntu2.5)
28
devel_openssl: released (1.0.1f-1ubuntu7)
31
upstream_openssl098: not-affected
33
precise_openssl098: not-affected
34
trusty_openssl098: not-affected
35
devel_openssl098: not-affected