FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-1377

This CVE name corresponds to:

Entered	Topic
2009-05-30	openssl -- denial of service in DTLS implementation

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2009-1377 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2009-1377
Phase	Assigned(20090423)

Description

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."

References

Source	Reference
MLIST	[openssl-dev] 20090516 [openssl.org #1930] [PATCH] DTLS record buffer limitation bug
MLIST	[oss-security] 20090518 Two OpenSSL DTLS remote DoS
MLIST	[security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates
MISC	https://launchpad.net/bugs/cve/2009-1377
CONFIRM	http://cvs.openssl.org/chngview?cn=18187
CONFIRM	http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
CONFIRM	http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
CONFIRM	http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
CONFIRM	https://kb.bluecoat.com/index?page=content&id=SA50
GENTOO	GLSA-200912-01
HP	HPSBMA02492
HP	SSRT100079
MANDRIVA	MDVSA-2009:120
NETBSD	NetBSD-SA2009-009
REDHAT	RHSA-2009:1335
SLACKWARE	SSA:2010-060-02
SUSE	SUSE-SR:2009:011
UBUNTU	USN-792-1
BID	35001
OVAL	oval:org.mitre.oval:def:6683
OVAL	oval:org.mitre.oval:def:9663
SECTRACK	1022241
SECUNIA	35128
SECUNIA	35416
SECUNIA	35461
SECUNIA	35571
SECUNIA	35729
SECUNIA	37003
SECUNIA	38761
SECUNIA	38794
SECUNIA	38834
SECUNIA	42724
SECUNIA	42733
SECUNIA	36533
VUPEN	ADV-2009-1377
VUPEN	ADV-2010-0528