OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when an error occurs while parsing malformed ClientHello handshake messages, which may be exploited to trigger an invalid memory access with a crafted ClientHello handshake message. This may allow a remote attacker to cause a denial of service. Certain applications which use SSL may also allow the disclosure of the contents of parsed OCSP extensions.

Upgrade to version 0.9.8r or 1.0.0d or higher, as they have been reported to fix this vulnerability. In addition, the OpenSSL team has released a patch for some older versions.

• Security Tracker: 1025050
• CVE ID: 2011-0014 (see also: NVD)
• Secunia Advisory ID: 42504 43012 43227 43286 43301 43339 43904 44269 44421 44533 44657 45054 45150 46342 46742 46904 47423 47807 47863 50476 52019 52543 52869 52892
• Bugtraq ID: 46264
• VUPEN Advisory: ADV-2011-0387 ADV-2011-0389 ADV-2011-0395 ADV-2011-0399
• Vendor Specific Advisory URL: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02896506
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03280632
  http://security.gentoo.org/glsa/glsa-201110-01.xml
  http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.668823
  http://support.apple.com/kb/HT4723
  http://www.debian.org/security/2011/dsa-2162
  http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_sterling_connect_enterprise_for_unix_is_affected_by_multiple_vulnerabilities_in_openssl12
  http://www.vmware.com/security/advisories/VMSA-2012-0013.html
  https://hermes.opensuse.org/messages/7744270
  https://hermes.opensuse.org/messages/7744274
  https://kb.bluecoat.com/index?page=content&id=SA68
  https://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_infosphere_balanced_warehouse_c3000_c4000_and_d5100_and_ibm_smart_analytics_system_1050_2050_5600_and_5710_are_affected_by_vulnerabilities_in_openssl16
  https://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02824483
• Vendor Specific News/Changelog Entry: http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054007.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-May/059313.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-May/059314.html
  http://security.gentoo.org/glsa/glsa-201110-01.xml
  http://www.ibm.com/support/docview.wss?uid=nas12088ececb530423186257b410072035e
  http://www.ibm.com/support/docview.wss?uid=swg21627934
  http://www.ibm.com/support/docview.wss?uid=swg21633107
  https://hermes.opensuse.org/messages/13154473
  https://lists.balabit.hu/pipermail/syslog-ng-announce/2011-November/000127.html
  https://lists.balabit.hu/pipermail/syslog-ng-announce/2011-November/000128.html
  https://lists.balabit.hu/pipermail/syslog-ng-announce/2011-November/000129.html
  https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-February/001248.html
  https://www.ibm.com/support/docview.wss?uid=swg21619837
• Packet Storm: http://packetstormsecurity.org/files/111915/HP-Security-Bulletin-HPSBMU02764-SSRT100827.html
  http://packetstormsecurity.org/files/112043/HP-Security-Bulletin-HPSBMU02764-SSRT100827-2.html
• Mail List Post: http://seclists.org/bugtraq/2011/Apr/192
  http://seclists.org/bugtraq/2011/May/68
  http://seclists.org/bugtraq/2012/Apr/112
  http://seclists.org/bugtraq/2012/Apr/159
  http://seclists.org/fulldisclosure/2011/Oct/410
• Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDVSA-2011:028
  http://www.openssl.org/news/secadv_20110208.txt
  http://www.ubuntu.com/usn/USN-1064-1
• RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2011-0677.html

• Neel Mehta - Google Security Team