Bugzilla – Bug 922490
VUL-1: CVE-2015-0291: openssl: [1.0.2 only] OpenSSL 1.0.2 ClientHello sigalgs DoS
Last modified: 2015-03-23 10:19:01 UTC
We don't ship openssl 1.0.2.
bugbot adjusting priority
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) ===================================================== Severity: High If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 users should upgrade to 1.0.2a. This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
only 1.0.2 affected, which we did not ship before.
From: mancha <mancha1@zoho.com> Subject: [oss-security] OpenSSL DoS tester now available (CVE-2015-0291) Vendors/organizations interested in diagnosing exposure of their OpenSSL-based services to the recently-disclosed sigalgs Dos vulnerability (CVE-2015-0291) can use my clientnullo tester [1] and read my brief write-up [2]. --mancha [1] http://sf.net/projects/mancha/files/clientnullo.c [2] https://mancha1.github.io/clientnullo.html