CVE-2014-0195 is a buffer overflow
(https://www.openssl.org/news/secadv_20140605.txt):
A buffer overrun attack can be triggered
by sending invalid DTLS fragments to an
OpenSSL DTLS client or server. This is
potentially exploitable to run arbitrary code
on a vulnerable client
> Does that mean this RCE is a heap based overflow?
I/O buffers in openssl are generally (always?) from the heap, not on the stack.
So yes in general, and yes in this specific case.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: Ri
On 2014-06-05, Jeffrey Walton wrote:
> CVE-2014-0195 is a buffer overflow
> (https://www.openssl.org/news/secadv_20140605.txt):
By the way, this one is currently missing from the list on
http://www.openssl.org/news/vulnerabilitie
On 06/06/2014 04:12 AM, Salz, Rich wrote:
Does that mean this RCE is a heap based overflow?
I/O buffers in openssl are generally (always?) from the heap, not on the stack.
The DTLS code uses on-stack buffers for discarding packets, but those
read calls are not affected by the present issue.
Hi All,
We are currently using openssl 0.9.8 h version in one of our components. I
would like to get some additional information about the vulnerability “DTLS
invalid fragment vulnerability (CVE-2014-0195)”. I could get the
information about all other vulnerabilities that are fixed in 0.9.8 za
Hi All,
We are currently using openssl 0.9.8 h version in one of our components. I
would like to get some additional information about the vulnerability “DTLS
invalid fragment vulnerability (CVE-2014-0195)”. I could get the
information about all other vulnerabilities that are fixed in 0.9.8 za
Hi All,
We are using openSSL 0.9.8d and want to confirm if we are vulnerable to
CVE-2014-0195 and if there is a patch for the same.
Thanks in advance,
Venkat
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jaya Nageswar
Sent: Monday, June 09, 2014 7
to get some additional information about the vulnerability “DTLS
> invalid fragment vulnerability (CVE-2014-0195)”. I could get the
> information about all other vulnerabilities that are fixed in 0.9.8 za
> except this vulnerability at
> https://www.openssl.org/news/vulnerabilities.html
Dear OpenSSL web page subteam,
CVE 2014-0195 is listed in
https://www.openssl.org/news/secadv_20140605.txt
as fixed by the latest round of security fixes, however it is
missing from the primary cross reference at
https://www.openssl.org/news/vulnerabilities.html
You may wish to update
Hi Jakob,
Thanks - I think this has now been corrected, the website should sync
within an hour or so. Please let me know if you see anything amiss.
Cheers,
Geoff
On Mon, Jun 23, 2014 at 8:15 AM, Jakob Bohm wrote:
> Dear OpenSSL web page subteam,
>
> CVE 2014-0195 is listed in
&g
AM
To: jb-open...@wisemo.com
Cc: openssl-users@openssl.org
Subject: Re: Advisory on CVE 2014-0195 not listed on main vulnerabilities page
Hi Jakob,
Thanks - I think this has now been corrected, the website should sync within an
hour or so. Please let me know if you see anything amiss.
Cheers
11 matches
Mail list logo
