Bugzilla – Bug 922493
VUL-1: CVE-2015-0290: openssl: [1.0.2 only] Multiblock corrupted pointer
Last modified: 2015-03-19 14:08:20 UTC
We don't ship openssl 1.0.2.
bugbot adjusting priority
http://openssl.org/news/secadv_20150319.txt Multiblock corrupted pointer (CVE-2015-0290) ============================================ Severity: Moderate OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 users should upgrade to 1.0.2a. This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development team.
only 1.0.2 affected, which we did not ship yet.