CVE-2012-2686

Description

crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.

How to fix CVE-2012-2686

To remediate CVE-2012-2686, upgrade the affected package to a fixed version below.

• Debian/openssl—upgrade to 1.0.1e-1 or later

Is CVE-2012-2686 being exploited?

Likely — EPSS is 63.1%, placing CVE-2012-2686 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 1.0.1e-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-2686