FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2014-3511

This CVE name corresponds to:

Entered	Topic
2014-08-06	OpenSSL -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2014-3511 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2014-3511
Phase	Assigned(20140514)

Description

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

References

Source	Reference
CONFIRM	https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=280b1f1ad12131defcd986676a8fc9717aaa601b
CONFIRM	https://www.openssl.org/news/secadv_20140806.txt
CONFIRM	http://www.arubanetworks.com/support/alerts/aid-08182014.txt
CONFIRM	http://www.tenable.com/security/tns-2014-06
CONFIRM	http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
CONFIRM	https://kc.mcafee.com/corporate/index?page=content&id=SB10084
CONFIRM	http://www.splunk.com/view/SP-CAAANHS
CONFIRM	http://www-01.ibm.com/support/docview.wss?uid=swg21686997
CONFIRM	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
CONFIRM	http://www-01.ibm.com/support/docview.wss?uid=swg21682293
DEBIAN	DSA-2998
GENTOO	GLSA-201412-39
HP	HPSBMU03260
HP	SSRT101894
HP	HPSBMU03216
HP	SSRT101818
HP	HPSBMU03267
HP	HPSBHF03293
HP	SSRT101846
HP	HPSBMU03304
NETBSD	NetBSD-SA2014-008
REDHAT	RHSA-2015:0197
REDHAT	RHSA-2015:0126
SUSE	openSUSE-SU-2014:1052
SECUNIA	59887
SECUNIA	60377
SECUNIA	60810
SECUNIA	60890
SECUNIA	60917
SECUNIA	60921
SECUNIA	60938
SECUNIA	61775
SECUNIA	61959
SECUNIA	59756