Bugzilla – Bug 922494
VUL-1: CVE-2015-0207: openssl: [1.0.2 only] Segmentation fault in DTLSv1_listen
Last modified: 2015-03-19 14:09:58 UTC
We don't ship openssl 1.0.2.
bugbot adjusting priority
http://openssl.org/news/secadv_20150319.txt Segmentation fault in DTLSv1_listen (CVE-2015-0207) =================================================== Severity: Moderate The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invocation to the next that can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a. This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The fix was developed by Matt Caswell of the OpenSSL development team.
we did not yet ship 1.0.2, so none of our products are not affected by this problem.