Out-of-Bounds Affecting openssl package, versions >=1.0.0, <1.0.8
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-COCOAPODS-OPENSSL-470748
- published 2 Oct 2019
- disclosed 28 Mar 2014
- credit Unknown
Introduced: 28 Mar 2014
CVE-2014-8176 Open this link in a new tabHow to fix?
Upgrade OpenSSL
to version 1.0.8 or higher.
Overview
OpenSSL is a SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.
Affected versions of this package are vulnerable to Out-of-Bounds. OpenSSL is vulnerable to denial of service (DoS) attacks through memory consumption and application crash. This is caused because the dtls1_clear_queues function in d1_lib.c frees data not taking into account that application data could arrive between the ChangeCipherSpec message and the Finished message. This can cause the DTLS peer to buffer the application data and cause a segmentation fault.
References
- Debian Security Advisory
- Gentoo Security Advisory
- GitHub Commit
- HPE Support Center Security Bulletin
- http://fortiguard.com/advisory/openssl-vulnerabilities-june-2015
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc
- https://bto.bluecoat.com/security-advisory/sa98
- https://kc.mcafee.com/corporate/index?page=content&id=SB10122
- https://rt.openssl.org/Ticket/Display.html?id=3286&user=guest&pass=guest
- https://www.openssl.org/news/secadv_20150611.txt
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl
- http://www.fortiguard.com/advisory/openssl-vulnerabilities-june-2015
- OpenSSL Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- RedHat Security Advisory
- RedHat Security Advisory
- Security Focus
- Security Tracker
- Ubuntu Security Advisory